The standards landscape in Australian payments

27 July 2023

by Paul Creswick, Security Evangelist, AusPayNet

Australia currently has a rich suite of payments- related standards, which have been developed by Standards Australia’s IT-005 Financial Transaction Systems Committee, which is the Australian mirror committee to ISO’s Technical Committee 68 (TC68) on Financial Services TC68.

These standards fall under the umbrella of Australian Standard (AS) 2805 “Electronic Funds Transfer – Requirements for Interfaces.” AS 2805 has almost 30 sections, covering:

  • communications, message format and authentication
  • PIN security
  • approved encipherment algorithms and hash functions
  • key management including principles, transaction and session keys, and terminal initialisation
  • secure cryptographic devices.

Several of the sections are either exact or amended adoptions of ISO standards. However, the standards governing key management of session keys from terminal to acquirer, interchange, and terminal initialisation, and those on message structure, format and content are Australian-specific and do not have direct ISO equivalents.

AusPayNet – in its role as the self-regulatory body for the Australian payments industry – administers frameworks for various Australian payment systems (or “Clearing Systems”). In this capacity, it mandates use of certain Australian and ISO standards (as well as relevant PCI and EMVCo standards) where relevant. Most notably, the use of the following ISO standards from TC68/SC2 dealing with the security of financial systems is mandatory:

  • 11568 Key Management – all parts;
  • 9564 PIN Security – all parts; and
  • 13491 Secure Cryptographic Devices – all parts.

Given the above, it is worth noting that:

  • the 2022 version of 11568 is scheduled for Direct Text Adoption (DTA) this year
  • AusPayNet is participating in the redrafting of 9564.1, including the use of open networks for PIN management (which is based on Australian artefacts)
  • AusPayNet is also participating in the redrafting of 9564.5, dealing with the use of stronger algorithms for PIN generation and verification. This is urgently needed as the Triple Data Encryption Standard is retired and we migrate globally to stronger, quantum safe symmetric algorithms such as the Advanced Encryption Standard (AES) (see below).
ISO 20022

For the last three years, AusPayNet has led the ISO 20022 Industry Migration Program to migrate the Australian High Value Clearing System (HVCS) from Swift’s MT format to ISO 20022. This has also involved Australia’s central bank, the Reserve Bank of Australia (RBA), migrating its Real-Time Gross Settlement (RTGS) system, as well as 50 financial institution members of AusPayNet migrating numerous payment systems, interfaces, and back-office systems, to ISO 20022.

The Australian HVCS ISO 20022 message specifications were developed to harmonise with High Value Payments Plus (HVPS+, the global Market Infrastructure – MI – template) and Cross-Border Payments and Reporting Plus (CBPR+, the ISO 20022 standard used by Swift for cross-border payments).

Looking at the immediate future through a standards lens, there are two aspects of harmonisation currently being considered by the global payments community, and in Australia:

  • harmonisation between HVPS+ and CBPR+
  • harmonisation of ISO 20022 versions across jurisdictions and with CBPR+, including harmonisation of future version changes.

Since several MIs around the globe went live with ISO 20022 for domestic RTGS, along with CBPR+, in March 2023, some have identified a range of friction points due to variance between HVPS+ and CBPR+. However, because Australia is more closely aligned with CBPR+ than some other countries, many of the issues identified do not exist here. Australia will next upgrade its HVCS ISO 20022 message collection in 2025, and AusPayNet will take the opportunity to align even further with CBPR+ where possible at that time.

There are various ISO 20022 implementations in use (or planned) within Australia, which include:

  • HVCS (based on HVPS+ and CBPR+)
  • CBPR+ for cross-border payments
  • the Australian Transaction Reports and Analysis Centre (AUSTRAC)
  • Australian Payments Plus (its New Payments Platform, NPP)
  • the Australian Securities Exchange (ASX, its Austraclear system).

Many AusPayNet Members operate in several MIs, and/or across different systems such as HVCS, NPP, ASX etc. Fragmentation or variation in version between these implementations creates an operational overhead as well as operational and interoperability challenges for those Participants. This is an area already under scrutiny by the Committee on Payments and Market Infrastructures (CPMI), which sees greater harmonisation as an objective to reducing friction and cost and increasing speed, transparency and access.

Currently, HVCS, CBPR+ and NPP are running the 2020, 2019 and 2015 version of ISO 20022, respectively. These version differences can increase the difficulty of achieving close harmonisation and add complexity to maintenance of Participant systems.

Some level of harmonisation of versions is desirable but needs to be balanced against the overheads of frequent version changes. AusPayNet is actively promoting, and participating in, these conversations.

AES

In response to these threats, governments and payments system operators globally are taking action to enhance security standards, and in particular encryption methods. The most widely used encryption standard, the Triple Data Encryption Algorithm (TDES), is considered vulnerable in the medium term to increasing classical computing power and advances in crypto analysis. This is prompting many jurisdictions to implement programs in favour of encryption standards such as AES, which is considered quantum and classical computing safe.

In Australia, AusPayNet has recently completed a consultation with the card payments industry. This consultation concluded that migrating Australian card payments to AES will be a significant industry effort requiring an estimated six to seven years to complete. It will impact all payment system participants, requiring the estimated upgrade of 970,000 point-of-sale (POS) terminals, 25,200 ATMs across 55 issuers and 25 acquirers, along with service providers, gateways, and technology partners. It is worth noting that cards will not need to be reissued, nor will the cardholder experience be impacted.

The next phase of work will include preparatory activities to finalise outstanding issues, including the technical blueprint, testing strategy, migration approach, legal, risk and compliance assessment to provide time for Participants to formalise their business cases, secure funding and mobilise teams.

The Future

In June 2021, the Australian Government completed its Review of the Australian Payments System. That review concluded that a single, tiered payments licensing framework – based on a defined list of payment functions – should be introduced for payment services. As part of that licensing framework, the review also concluded (in recommendation 12) that “compliance with technical standards set by authorised industry bodies should be mandatory for payments licence holders.”

Given this proposed change to payments system regulation, AusPayNet is currently undertaking a program of work to become an authorised standards-setting body. This will see an evolution of the organisation's role, from self-regulation of framework participants to requiring compliance with standards by all payments licensees.