Welcome to the second edition of The Quantum Leap, our quarterly update on the AES Migration Program.
Each quarter, we will bring you a high-level update on the progress of the program and what’s ahead. We will also provide updates on developments in Australia and globally, and will focus on cyber security, cryptography and the impacts of classical and quantum computing.
Your suggestions for topics in future publications and feedback on this edition are welcomed. Please feel free to contact us by email at aesmigrationprogramteam@auspaynet.com.au.
We hope you enjoy this second edition.
Riaz Hussain Head of Security, Standards & AES Transition
What we have achieved in the last quarter
The current phase of the program is focused on preparation for pilot, currently scheduled for 2026. Key deliverables from this phase include:
An update to the Technical Blueprint to include amendments to the relevant Australian Standard, AS2805.
A migration handbook, which will provide further guidance to participants on how to navigate the migration process and become a repository of lessons learned as we proceed.
Industry Testing Plans and the supporting tools that participants will require.
An Information Management System (IMS) to enable the industry to track progress.
An uplift in communications and change activities as the industry mobilises.
Specifically, the last quarter has seen progress continue with:
Public consultation on the proposed revisions to AS2805.
Development of updates to the Issuers and Acquirers Community (IAC) Code Set – this articulates the specific program compliance obligations for IAC issuers and acquirers.
Consultation on the setting of sunrise and sunset dates for the program – these dates are the key milestones for the program and establish compliance timeframes for program participants.
Ongoing development of industry test plans.
Ongoing development of the migration handbook.
Development of the IMS commencing.
Member open days in Sydney and Melbourne (more below).
A mid-year review of the program to ensure it remains on track for success.
Sydney and Melbourne open days
We recently held two Member open days in Sydney and Melbourne, providing an opportunity for program participants to come together and hear the latest from the Government, industry and AusPayNet.
Highlights of the two events included presentations on:
The cyber threat landscape.
International and domestic actions to address the threat.
Combatting the threat with cyber security partnerships.
Australian public and private sector responses.
Cryptographic requirements and controls for security of payments.
The latest on the program.
We look forward to hosting more program events for collaboration, information sharing and networking. Our next will be a webinar on the Technical Blueprint to be held in November.
Our Migration Strategy
The Migration Strategy was a key deliverable from Phase 1 of the program in 2024. It outlines our proposed approach to the migration, the principles which we will apply and how to manage the transition and co-existence.
Three principles guide the strategy:
Collaboration and openness: It is expected that participants will collaborate within a social code of conduct involving:
Transparency in relation to dealing with the program and other participants, particularly regarding their progress and timelines.
Openness in sharing information relevant to the program that could assist other participants with their progress and in meeting their timelines.
A spirit of collaboration for the greater good of the public and the industry.
Retaining flexibility for participants’ internal programs: To provide each participant maximum flexibility in running their respective programs, the migration approach should aim to minimise interdependencies between individual participants. However, this is subject to their meeting industry milestones, such as Sunrise and Sunset dates.
Risk-based sequencing of the program: The migration approach emphasises prioritising the upgrade of the most critical infrastructure within the card payments network. It also makes sense to attend at the outset to the system components requiring the least upgrade effort, reducing the interim risks within the lifetime of the program.
Taking this approach enables participants to largely implement the migration on their own schedules within the overall program timeline. Coordination is limited to those areas where this is truly necessary, such as interchange links. This also means that there will be an extended period of coexistence when both the Triple Data Encryption Standard (TDES) and AES will be in operation at the same time, with each step of a transaction using the highest security standard available for that step. Over time, as AES is rolled out, we will see TDES retired and end-to end transactions using AES.
The next key phase in the migration is the initial stage of Vanguard Industry Testing (VIT) and Pilot. During VIT, participants will conduct a subset of industry testing to enable them to conduct a live Pilot. It is expected that the live Pilot will be a controlled exercise involving a limited use of AES in a production environment.
The VIT and Pilot steps are critical in testing and de-risking the subsequent execution program.
What are we seeing around the world?
There have been some recent notable developments around the world relevant to AES.
Firstly, the European Union has begun a coordinated effort for Member States to switch critical infrastructure to quantum-resistant encryption by 2030. This initiative calls for the AES transition to begin by late 2026 and be fully completed by 2035 and aims to safeguard EU data and communications from the threat posed by future, powerful quantum computers.
Secondly, the PCI Security Standards Council released its Cryptography Guidance Paper, which outlines the minimum requirement for 128-bit encryption (i.e. AES). This is welcome guidance that is consistent with the approach we are taking with the program.
What are we seeing in Australia?
The Australian Government released the 2023-2030 Australian Cyber Security Strategy (the Strategy) on 21 November 2023. The Strategy outlines the framework for government to take action to uplift Australia’s cyber maturity and preparedness over three phases , with the intention of making Australia a world-leader in cyber security by 2030:
Horizon 1 (2023-25) focused on strengthening foundations, with 60 initiatives either delivered or underway. These initiatives are outlined in government’s Action Plan.
Horizon 2 (2026-28) will focus on investment in the broader cyber security ecosystem.
Horizon 3 (2029-30) will advance the global frontier of cyber security. We will lead the development of emerging critical technologies capable of adapting to new risks and opportunities across the cyber landscape.
In moving towards Horizon 2, Home Affairs recently released a Policy Discussion Paper for public consultation. Once feedback is considered, a further industry co-design process will be undertaken on the specific actions and initiatives to take forward in Horizon 2.
Looking forward
Much is scheduled to happen over the next 18 months.
Firstly, before the end of this year we will finalise the key foundational program documents:
The Technical Blueprint – this set outs the target state for the migration and references the various standards that apply across the whole system.
The Migration Strategy and handbook – these outline our proposed approach to the migration, the principles which we will adopt, how we will manage co-existence, and the framework of dates that will apply for AES sunrise and sunset of TDES.
The Industry Test Strategy and Plans – these describe the approach to be taken to testing and certification throughout the program and are complementary to the approaches adopted by each of the card schemes.
We expect to see a number of external documents, including:
The Government’s next version of its Strategic Plan for Australia’s Payments System.
The updated Position Statement on Quantum Computing and EMV Chip Cryptography from EMVCo.
The next round of technical standards from PCI, requiring 128-bit encryption.
The outcomes of the consultation on Horizon 2 of the cyber security strategy.
From an industry perspective, we expect to see specifications published and test environments made available to support VIT and Pilot.
We also expect more conversation about the concept of crypto agility. While the term itself is cumbersome, the concept of being agile in upgrading cryptography is important.
More broadly, we expect the focus of the program to move from the work being undertaken at AusPayNet to participant mobilisation and implementation programs, with the early participants entering VIT and Pilot.
We have a broad communication approach for updates
We have a multi-pronged approach to communicate updates, including a webinar program, events, this newsletter and other AusPayNet publications.
This is the second The Quantum Leap newsletter, which is produced quarterly and is available on the AusPayNet website.
We have a webinar series open to AusPayNet members. The series commenced earlier this year with a webinar introducing the AES Migration Program. Our second webinar will focus on the Technical Blueprint and will be held in November 2025. Additionally, there is ongoing bilateral engagement with Members and we continue to engage with regulators and government.
