Review of Payments System Regulation 5. Cryptography and Fraud Prevention

Issues Paper
June 2026

Download the complete Document 1MB

The payments system and the environment in which it operates continue to become more complex. Issues affecting financial safety in the payments system and/or controlling risk to the financial system include the need to strengthen cryptography in response to advances in computing and addressing rising rates of card fraud particularly on online transactions at overseas merchants.

5.1 Cryptography in the payments system

Cryptography is a discipline concerned with protecting sensitive information as it is stored or transmitted between parties. In many digital contexts – including, but not limited to, electronic payments – the data involved may include details that could be misused if disclosed, modified, or falsely attributed. Cryptographic techniques are therefore designed to uphold three core security principles:

  • Confidentiality ensures that information is accessible only to authorised parties, protecting it from unauthorised access even if communications are intercepted.
  • Integrity safeguards the accuracy and completeness of data by enabling recipients to detect whether information has been altered, either accidentally or maliciously, during transmission or storage.
  • Authenticity supports trust in digital interactions by allowing parties to verify the origin of data and confirm that it was generated or sent by a legitimate source.

These three principles are critical in payment systems, with cryptography helping to ensure that transaction information, payment credentials, and authorisation messages can be exchanged securely, protecting consumers, merchants, and financial institutions from fraud and misuse.

In practice, cryptography does not guarantee absolute security. Rather, it makes unauthorised access difficult by making the time and resources required to compromise cryptographic protections exceed the useful lifetime and the perceived value of the information being protected. For example, data that remains sensitive for 10 years should be encrypted in a way that would take an attacker at least that long to decrypt it. As ongoing improvements in classical computing continue to reduce the time required to undermine existing cryptographic standards, cryptography must be continuously strengthened to remain effective.

Looking further ahead, the anticipated emergence of cryptographically relevant quantum computers (CRQCs) represents a fundamental shift in the threat landscape. Quantum computing is expected to outperform classical systems for certain cryptographic tasks, rendering some widely used encryption methods ineffective altogether. While views differ on the likely timeframe, the Australian Signals Directorate17 assesses that CRQCs could emerge as early as 2030 and become increasingly likely toward 2040.

For organisations participating in payment systems, significant work is underway globally and domestically to strengthen cryptographic practices in response to the evolving threat environment. Much of this effort is focused on identifying where investment delivers the greatest reduction in risk, particularly in the context of finite resources and competing security priorities. In this setting, more future-focused risks such as quantum can be difficult to prioritise, due to uncertainty around both when they may arise and how best they should be addressed.

The challenge of uplifting cryptographic practices is compounded in highly networked industries such as payments, where decisions must be coordinated across multiple participants and systems to be effective. Industry bodies, payment networks, and individual organisations draw on advice from a wide range of sources, including cybersecurity agencies, global standard-setting bodies and regulators, both domestic and international. While this breadth of guidance reflects the complexity of the threat environment, it can also result in differing emphasis, time horizons and recommended approaches, making coordinated and timely action more difficult.

5.1.1 The card payments system

The industry-led Advanced Encryption Standard (AES) Migration Program aims to uplift cryptography across the Australian card payments system. The program brings together three distinct sources of guidance:

  • International and domestic standards, including those developed by the International Standards Organization, National Institute of Standards and Technology, Internet Engineering Task Force and Standards Australia, which serve as the foundation for the industry’s target cryptographic state.
  • Requirements and guidance from the Payments Card Industry Security Standards Council,18 which are international in nature and developed specifically for card payment systems. The requirements address current cyber threats facing the global card payments ecosystem, while the guidance encourages industry participants to prepare for emerging risks.
  • Guidance from the Australian Signals Directorate, which is Australian-focused and provides generic, cross-industry advice on cryptographic uplift and cryptographic risk management, rather than sector-specific mandates.

Together, these resources can be used to help ensure that the approach adopted by the Australian card payments system is consistent with global card-payment standards, tailored to the Australian context. The program represents an important first step toward improving the quantum resilience of Australia’s card payment infrastructure.

Although there is broad industry support for the program and some participants have made strong progress, many organisations remain uncertain about their ability to complete the program within the targeted timeframes. These concerns are driven by:

  • Competing internal investment priorities, with immediate and well-understood cyber threats often taking precedence over the more future-focused initiatives.
  • The operational complexity of large-scale device replacement, with approximately 970,000 point-of-sale terminals and 25,000 ATMs requiring replacement or upgrade.19
  • Differing requirements and guidance, where industry context and implementation considerations have led them to favour an incremental, hybrid approach to quantum readiness, while broader national security guidance promotes a comprehensive cryptographic uplift over shorter timeframes to achieve full quantum resilience.

Australia’s challenges are widely shared internationally. While a small number of jurisdictions have begun to make tangible progress, most face challenges with sequencing cryptographic uplifts in an environment where guidance, standards and threat horizons continue to evolve. Many jurisdictions remain in the planning stage and, as in Australia, face ongoing uncertainty about longer-term approaches and timing needed to achieve a genuinely quantum-safe card payments system.

The RBA is seeking views on how it could support and facilitate industry-led cryptographic uplifts for the card payments system and other payment systems operating in Australia.

Q15: How is the payments industry strengthening its cryptographic practices in response to evolving cyber threats? What initiatives or uplift programs are underway, whether led by individual participants, industry bodies, or international standard-setting groups, and how effective are these initiatives likely to be in delivering an appropriate and sustainable level of cyber security?

Q16: What key barriers or challenges are participants facing in uplifting cryptography and broader cyber security practices within the payments system?

Q17: What role could the RBA play in supporting and coordinating industry-wide cryptographic uplifts in the payments system, while avoiding both duplication and undermining existing domestic and international standards, regulatory frameworks or industry-led initiatives?

5.2 Card payments fraud overseas

Card payments fraud involves the unauthorised use of card details to make purchases, withdraw funds or gain financial benefits without the cardholder’s consent. In 2024, the value of fraud on Australian-issued cards was $913 million, a rate of 78.8 cents per $1,000 spent.20 This represented a 37 per cent increase on the 2022 rate.

Card not present (CNP) fraud represents approximately 90 per cent of the value of fraud on Australian-issued cards (Graph 8). CNP fraud occurs when valid card details are stolen or otherwise fraudulently obtained and used to make payments via a remote channel. CNP fraud is primarily perpetrated online via a web browser or by phone.

Graph 8
Graph 8 is a bar and dot chart showing transaction shares for Australian-issued cards in 2024. The graph decomposes these payments into four categories based on whether the payment was made with the card present or not present, and acquired at a merchant in Australia or overseas. The dots show the proportion of the value of card transactions for each category. The bars show the proportion of the value of fraudulent card transactions for each category. Card not present transactions at overseas merchants represent approximately 3% of the value of payments on Australian-issued cards, but approximately 50% of the value of fraudulent payments.
Graph 9
Graph 9 is a two-panel line chart showing the value and rate of card not present (CNP) fraudulent transactions from 2020 to 2025. The top panel shows the overall value of CNP fraud. The value of CNP fraud on Australian-issued cards at overseas merchants increased significantly from approximately $200 million to approximately $450 million between 2022 and 2025. The bottom panel shows the rate of CNP fraud. The rate of CNP fraud on Australian-issued cards at overseas merchants increased over the period of 2022 to 2025, while the rate of fraud on Australian- and overseas issued cards at Australian merchants both declined in this period.

In response to these high and growing fraud levels, the payments industry developed the CNP Framework to reduce fraud on Australian cards used at Australian merchants in online channels. The CNP Framework is enforced through AusPayNet’s Issuers and Acquirers Community (IAC) Code Set. Under the IAC Code Set, AusPayNet may place sanctions on issuing or acquiring participants for breaching fraudulent transaction thresholds. Sanctions may include a requirement to implement Strong Customer Authentication (SCA), a form of multifactor authentication. Since the inception of the CNP Framework in 2019, the rate of CNP fraud at Australian merchants has declined (Graph 9).

However, the CNP Framework does not apply to CNP fraud occurring at overseas merchants, which has increased rapidly in recent years (Graph 9). Unlike domestic merchants and acquirers, overseas merchants and acquirers fall outside the regulatory reach of the IAC Code Set and cannot be sanctioned by AusPayNet for breaching fraud thresholds. In 2024, CNP transactions at overseas merchants accounted for half of all card fraud on Australian-issued cards despite those transactions only representing around 3 per cent of the total value of all transactions on these cards.

To address CNP fraud at overseas merchants, some stakeholders have suggested requiring Australian card issuers to implement additional verifications such as SCA for these transactions. The RBA understands that stakeholder views on this approach are mixed, although some issuers have independently adopted multifactor authentication processes in the absence of a formal requirement.

Stakeholders have suggested that continued growth in CNP card payments fraud overseas could raise efficiency and financial safety concerns:

  • The costs of card fraud must be absorbed by participants in the ecosystem and are ultimately borne by Australian merchants and consumers through the pricing of payment services. Administrative costs related to managing consumer dispute and chargeback processes must also be borne by consumers and card issuers.
  • A high prevalence of card fraud could erode trust in cards as a payment method and, in the extreme, push consumers towards more expensive or less secure ways of paying.

The RBA is seeking views on whether measures to address fraud on Australian-issued cards used at overseas merchants, for example requiring issuers to implement SCA, would be in the public interest.

Q18: Do current arrangements for addressing overseas card not present fraud raise competition, efficiency and/or financial safety issues? Should the RBA consider a regulatory response to these issues, and if so, what form should this response take?

Endnotes

17 See Australian Signals Directorate (2025), ‘Planning for Post-quantum Cryptography’, September.

18 The Payments Card Industry Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards. Its founding members include major card networks.

19 See AusPayNet (2026), ‘Advanced Encryption Standard (AES) Migration’, May.

20 See AusPayNet (2025b), ‘2025 Australian Payment Fraud Report’, August.