On 14 August 2025, the Australian Competition and Consumer Commission (ACCC) issued a draft determination proposing authorisation for the banking industry to coordinate migration of the national card payments system from Triple DES (3DES) to the Advanced Encryption Standard (AES). The shift aims to bolster cybersecurity resilience, aligning Australia with global best practices as legacy encryption faces growing obsolescence.
The ACCC’s draft decision – known as authorisation AA1000699 – would allow Australian Payments Network Limited (AusPayNet) and its Issuers and Acquirers Community members to:
- Make and implement agreements on specific aspects of a program to migrate card payments encryption from 3DES to AES.
- Share information to monitor migration progress, report technical issues, and coordinate solutions – strictly for the purpose of enabling the AES transition.
The proposed authorisation would remain valid for eight years, giving the payments ecosystem a defined window to complete the complex technical and operational migration.
Submissions on the draft determination are invited until 29 August 2025, before the ACCC issues its final ruling.
Why the Change? From 3DES to AES
The Triple Data Encryption Standard, introduced in the late 1990s, has been widely used for securing card payments. While still considered “fit for purpose in the short term,” its age and computational inefficiencies make it increasingly vulnerable to advances in brute-force and quantum-adjacent cryptanalysis.
By contrast, the Advanced Encryption Standard (AES), adopted by NIST in 2001, is globally recognized as the benchmark for modern cryptographic protection. AES offers:
- Faster processing for high-volume transactions.
- Greater efficiency across modern hardware.
- Stronger protection against evolving attack techniques.
“AES represents the global standard for protecting sensitive payments data. Migrating now reduces systemic risk and ensures Australia’s financial infrastructure keeps pace with international security expectations,” an ACCC spokesperson stated in its announcement (14 August 2025).
Industry Coordination and Risk Management
The proposed authorisation allows AusPayNet and its community of banks, merchants, and service providers to coordinate closely on:
- Technical implementation schedules.
- Shared monitoring of potential disruption during migration.
- Incident reporting and rapid response protocols.
The ACCC emphasised that this coordination is narrowly tailored to migration logistics only, avoiding risks of anti-competitive conduct in the broader payments market.
Dr. Bronwyn Evans, Chair of Standards Australia, welcomed the move:
“Encryption is the invisible infrastructure of trust. The coordinated approach ensures no single institution lags behind, reducing exposure windows during the transition to AES.”
Global and Regional Context
International Trends
Globally, major financial regulators have been pressing for migration away from legacy cryptography. In 2024, the European Payments Council advised members to phase out 3DES in favour of AES for all SEPA card transactions by 2026. Similarly, U.S. financial institutions are aligning with PCI DSS v4.0, which underscores AES as the recommended standard for encryption at rest and in transit.
MEA Implications
For banks and payment processors across the Middle East and Africa, Australia’s regulatory push reflects a growing global harmonisation trend. Regional regulators in the Gulf Cooperation Council and South Africa have also flagged the eventual deprecation of 3DES in payments systems. Harmonisation with AES could simplify cross-border compliance and improve resilience against rising ransomware and cybercrime campaigns targeting financial services.
Actionable Takeaways for CISOs and Executives
- Assess existing encryption implementations — audit where 3DES remains in use across card processing systems.
- Begin AES migration planning — align internal timelines with regulator guidance and vendor roadmaps.
- Coordinate with ecosystem partners — ensure interoperability with banks, acquirers, and processors.
- Update compliance frameworks — map AES migration to PCI DSS v4.0 and regional regulations.
- Harden key management practices — strengthen HSM governance to align with AES requirements.
- Test for backward compatibility — ensure legacy systems gracefully handle transition.
- Monitor for fraud anomalies — heightened vigilance during migration phases when attackers exploit gaps.
- Invest in staff awareness and training — reduce risk of misconfigurations during deployment.
- Engage with regulators early — provide feedback during consultation periods like the ACCC’s 29 August deadline.
- Benchmark against peers internationally — monitor migration progress in U.S., EU, and Asia-Pacific markets.
Conclusion
Australia’s move to mandate coordination on migrating from 3DES to AES marks a significant milestone in modernising national payment infrastructure. The ACCC’s proposed eight-year authorisation balances urgency with operational realism, giving financial institutions time to adapt while reducing systemic risk. With cyberattacks escalating worldwide, AES adoption represents not just a technical upgrade, but a foundational step toward future-proofing global payment systems.
