Submissions – Payments System Australian Payments Network – Application for Authorisation AA1000699-1

Introduction

The Reserve Bank of Australia (RBA) has prepared this submission to the Australian Competition and Consumer Commission (ACCC) in response to the Australian Payments Network’s (AusPayNet’s) application regarding the program of work to migrate the Australian card payments system to the Advanced Encryption Standard (AES) (AA1000699-1).¹

This submission provides the RBA perspective based on its responsibility as the principal regulator of Australia’s payments system, with a mandate to promote the safety, efficiency and competitiveness of the payments system. The RBA supports AusPayNet’s application because a coherent and timely industry migration to the AES will require increased coordination and sharing of relevant information. Without effective coordination there is an increased risk that the migration to AES for card payments will not occur in a timely fashion, or with sufficient market coverage, resulting in end users of the system being exposed to an increased risk of fraud.

Proposed authorisation

The RBA places a high priority on the public having safe means of conducting in-person card payments. A key component of this is the encryption of card payments details when exchanged between cards and devices (e.g. point of sale (POS) terminals and ATMs).

The data associated with card payments are currently encrypted using Triple Data Encryption Standard (TDES). While viewed as fit for purpose in the short term, it is broadly accepted across the payments industry (and in the broader security community) that TDES is unlikely to remain secure over the medium to long term.

The introduction of quantum computing is expected to bring a step change to processing capabilities and poses a significant threat that the TDES protocol is breached. Domestically and internationally migration from TDES to AES is occurring, as AES is viewed as a quantum-safe solution.

In February 2024, the RBA’s Payments System Board expressed its strong support for industry efforts to ensure encryption standards continue to meet the high safety standards for card payments expected by the Australian public. Consistent with the Government’s Strategic Plan for the Payments System, members supported AusPayNet’s proposal to commence migration in 2025 and encouraged industry to progress the migration with sufficient urgency to enable the transition to the AES to be completed within industry’s estimated timeframe of five to seven years.²

The Australian card payments system is a complex interconnected network of over 970,000 POS terminals and 25,000 ATMs, across dozens of card issuers and acquirers. Given this complexity, implementing an effective and timely migration to AES will require coordination and information sharing among the relevant parties involved in the Australian card payments system. Accordingly, the RBA supports AusPayNet’s application to provide the necessary ACCC authorisation for the industry – namely AusPayNet and its issuers and acquirers community – to work together on certain aspects of AusPayNet’s AES migration program, and to share information to monitor progress, report issues and develop solutions to issues, for the purpose of facilitating an effective migration to the AES.

Reserve Bank of Australia
13 June 2025

Endnotes

APN (2025), ‘Application for Authorisation under S88(1) of the Competition and Consumer Act 2010 (Cth)’, 7 May. 1

RBA (2024), ‘Payments System Board Update: February 2024 Meeting’, Media Release No 2024-03, 29 February. 2