Welcome to the first edition of The Quantum Leap, your quarterly update on the Advanced Encryption Standard (AES) Migration Program.
The migration to AES will be the most significant security upgrade for Australia’s national card payments system in the last 25 years.
Each quarter, we will bring you a high-level update on the progress of the program and what’s ahead. We will also provide updates on developments in Australia and globally, and will focus on cyber security, cryptography and the impacts of classical and quantum computing.
Your suggestions for topics in future publications and feedback on our first edition are welcomed. Please feel free to contact us by email at aesmigrationprogramteam@auspaynet.com.au.
We hope you enjoy this first edition.
Riaz Hussain
Program Sponsor & Head of Security & Standards, AusPayNet
AES and the Triple Data Encryption Standard (TDES) are cryptographic algorithms that protect sensitive card payment data during transmission and storage.
TDES is currently widely used in the Australian payments system. However, advances in computing technology, including the increasing power of classical computing and quantum computing, present a material risk to the effectiveness of TDES.
Compared to TDES, AES is widely recognised as a more secure cryptographic algorithm that is resistant to the fastest, currently identified quantum algorithms. AES was specifically established by the United States National Institute of Standards and Technology (NIST) in 2001 to replace TDES, offering much greater security and efficiency.
The key differences between AES and TDES, include:
Adoption of AES would substantially reduce the likelihood of an attack on payments data, increasing the security and integrity of the card payments system as a whole and benefitting consumers and businesses.
In June 2023, the Australian Government released its Strategic Plan for Australia’s Payments System, setting out key priorities to support a safer, more efficient, and future-ready payments landscape.
One of the key priorities of the Plan is promoting a safe and resilient payments system that protects end-users and safeguards their ability to transact safely and securely. This includes ensuring the payments industry is well-placed to protect against cyber-attacks and requiring the industry to continually uplift system-wide security standards and practices, including encryption methods for card payments systems.
The Plan requires the Australian cards payment industry to begin migration to AES in 2025. This process necessitates the design, development, and delivery of a program to migrate our card payments system from TDES to AES cryptography standards.
AusPayNet is leading an industry-wide program to migrate the Australian card payments system to AES. The program is planned for completion in 2030/31, subject to any necessary regulatory approvals.
The project has a broad scope, bringing together 55 issuers, 25 acquirers, the card schemes, and almost one million payment terminals and ATMs, with the purpose of moving to a more secure and efficient card payments system.
Image: Typical card transaction flow
We are managing the program through the Issuers and Acquirers Community. This has broad representation across the industry and is the natural framework for this kind of program.
The following illustrates the program’s journey to date.
Early 2022
AusPayNet surveyed Issuers and Acquirers Community Members to understand the appetite to migrate to AES and received strong support for the migration.
September 2022 – June 2023
AusPayNet commissioned a plan of work to develop a Program Initiation Document for the AES migration, which was approved by the AusPayNet Board in mid-2023.
This document foreshadowed an 18-month initiation and mobilisation phase, which we commenced in July 2023.
July – December 2024
This phase delivered the initial versions of the foundational documents for the program, including:
Collectively, this work serves as a key input to card payments system participants in developing their organisations’ own migration plans.
Our current phase of focus (2025) is on preparation for pilot, currently scheduled for 2026. Key deliverables from this phase include:
In 2026, we will focus on the early stages of industry testing and pilot, while from January 2027 onwards, we will be dedicated to the execution and rollout of the migration.
In addition to the work being undertaken in Australia, governments and payment system operators globally are taking action, driven by national infrastructure security needs and government policy.
Jurisdiction | Status | |
![]() |
In the United States, the National Institute of Standards and Technology (NIST) has disallowed use of TDES for encryption of government data from 2023 onwards. | |
![]() |
The European Union Agency for Cybersecurity (ENISA) classified TDES as a legacy standard in 2013, recommending the use of AES. | |
![]() |
The UK Government’s National Cyber Security Centre report (Dec 2024) urges "all sectors to address the risks posed by quantum computing ASAP, accelerating their efforts." They have established Timelines for migration to post-quantum cryptography, calling for migration of critical systems by 2031. | |
![]() |
In France, Cartes Bancaires is leading the migration to AES, with the interbank network migration completed and over 80% of payment terminals AES ready. | |
![]() |
Migration to AES has been completed in Germany following a regulatory requirement to do so. | |
![]() |
The Monetary Authority of Singapore (MAS) issued an Advisory on Addressing the Cybersecurity Risks Associated with Quantum in February 2024 highlighting measures that FIs should consider as part of their quantum transition efforts. |
In October 2024, the G7 Cyber Expert Group (CEG) published its Statement on planning for the opportunities and risks of quantum computing, in which it "encourages jurisdictions to monitor developments in quantum computing, to promote collaboration among relevant public and private stakeholders, and to begin planning for the potential risks posed by quantum computing on some current encryption methods."
These are just some examples of actions being taken to address the risks associated with quantum computing. While there are differences in the approaches of each jurisdiction, the direction and motivation to act are consistent.
Domestically, policy support for the AusPayNet Program is building strongly.
We expect government and regulator support for the program will only continue to strengthen.
Is AES really quantum safe?
AES is considered safe from advances in both classical and quantum computing. This position is supported by the various security agencies around the world, such as ASD and NIST.
Should we jump to the next generation post-quantum standards?
Post-quantum standards have been under development for a number of years, primarily through NIST in the United States. These standards are in an early stage of development, with limited practical usage to date. Conversely, AES is well established and supported by a wide range of technology providers. This means that the upgrade to AES would be a far simpler and well understood task than adoption of whole new standards.
Do you need to upgrade ATMs given the decline in cash?
It is important to upgrade all points of access to the Card Payments System. ATMs are considered essential infrastructure, especially for rural and remote communities in Australia, regardless of their declining usage, and ongoing support for cash as a payment method is a necessity. However, the rationale for the upgrade is not related to the decline in ATM usage. The upgrade is necessary to ensure that ATM transactions remain secure and protected against potential security threats. Making ATMs more secure may include replacing or upgrading the devices that protect PIN data when an ATM machine is used, installing new devices to improve security, and updating the ATM’s software and hardware.
Will PINs and card numbers become obsolete soon? If so, why do we need to do this?
The migration to AES with Key Blocks is substantially driven by the need to enhance the security of card payments and protect sensitive information, such as cardholder data and PINs. The decline in the usage of PINs and the emergence of other technologies (e.g. digital wallets) does not change the rationale for this project, as these technologies may not be suitable for all payment scenarios.
How can we get involved if we are not members of the Issuers and Acquirers Community?
Contact AusPayNet to see if you can become a member or talk to AusPayNet Members who are participating in the program.
Please reach out if you would like further information or to suggest topics you would like us to explore in future newsletters at aesmigrationprogramteam@auspaynet.com.au