Have your say: Consultation on Electronic Funds Transfer (EFT) Standard (AS2805)

A hologram of a digital lock and a digital stop sign above a circuit board

5 August 2025

By David McGregor, Security Standards Manager, AusPayNet
 
AS2805 is the Australian standard for electronic funds transfers used primarily for card-based payment transactions. It defines the structure and contents of messages, describes details of the cryptography used to secure payments and the protocols used to ensure interoperability between terminals, acquirers, issuers and card networks.

The AS2805 standard was first published in 1985. Initially Parts 1-5 were published, with further parts added in subsequent updates. These standards exclusively used Data Encryption Standard (DES) with a 56-bit key for protection of PINs and message authentication using a Message Authentication Code (MAC). Triple Data Encryption Standard (TDES) was added as an approved encryption algorithm in 2000 (as defined in AS2805.5.4) and incorporated into other parts of AS2805 over time.

Card payments in Australia continue to use cryptography based on TDES, even though stronger and faster cryptography is now available. There is a need to upgrade systems and move them away from known vulnerable algorithms, such as TDES, to known stronger algorithms including Advanced Encryption Standard (AES).

Many parts of AS2805 assume TDES and have not been updated despite advances in general cryptography and payments security. Standards produced by global bodies have benefited from regular updates from various stakeholders with support for AES, Elliptic Curve Cryptography (ECC), key blocks and other modern security features.

As a component of this modernisation effort, the suite of AS2805 standards has been revisited to determine if existing standards are still relevant, require updates or should be withdrawn. IT-005 is the working group responsible for AS2805 standards and has been making these changes with support from Standards Australia.

As a result of this review, several parts from AS2805 have been withdrawn or replaced where appropriate by an equivalent ISO standard. AusPayNet and its members prefer the use of such international standards over Australian specific standards.

 Superseded AS2805 Part        Replacement ISO standard
 AS 2805.6.1.1-2009
 AS 2805.6.1.2-2009
 AS 2805.6.1.4-2009
 AS ISO 11568:2025 / ISO 11568:2023
 AS 2805.16-2008  AS ISO 18245:2025 / ISO 18245:2023
 AS 2805.12.x-2008 (all parts)      AS ISO 8583:2025 / ISO 8583:2023
 AS 2805.13.1:2000  AS ISO/IEC 10118.1:2016/Amd 1:2021   
 AS 2805.5.1:1992  None – No more Single DES

The review also found that a relevant ISO standard wasn’t available for three other parts from AS2805 and IT-005 has decided to revise these parts:

  • Part 2 of AS2805 ‘Message structures, format and content’ describes how to transfer card payment related messages between participants. The new draft adds extra data elements to the Australian specific field 47 as well as support for AES encrypted PIN blocks and AES MACs.
  • AS2805.6.9 ‘AES Session Keys – Node to Node’ includes details on how key blocks are used to exchange session keys between nodes in an interchange environment. This document has been updated with additional definitions, revised wording and recommendations on using RSA and ECC for key initialisation.
  • Part 9 of AS2805 ‘Privacy of Communications’ provides a method for encrypting sensitive sections of a payment message whilst leaving fields needed for routing, parsing or decryption in plaintext. The method described has been updated to use AES instead of TDES.

All three of these updated documents are currently open for public comment at https://comment.standards.org.au/. Parts 9 and 6.9 close for comments on Thursday, 28 August 2025, with Part 2 closing on Wednesday, 10 September.

Interested readers are encouraged to review the draft and submit feedback before the comment period ends.