Understanding AS2805: Australia’s Updated Standard for Electronic Funds Transfer Systems
The Australian Standard AS2805 for electronic funds transfer was recently updated, necessitating significant changes in the country’s card-based payment systems. This standard, developed when the Data Encryption Standard (DES) and Triple DES (TDES) were the dominant cryptographic algorithms, has been revised to keep up with modern security needs.
Despite TDES still being used in payment cryptography, it is no longer considered secure enough. Cryptanalysis has the potential to find vulnerabilities in ciphers and decrypt data without knowing the secret key, making TDES a legacy technology. This lack of security makes it susceptible to fraud and other financial crimes.
The Shift from TDES to AES
The most notable change in the updated AS2805 standard is the mandatory shift from TDES to the Advanced Encryption Standard (AES) for data encryption. AES will be used for encrypting data such as PINs and transaction messages, thus improving cryptographic strength and ensuring better protection.
This substantial change will impact Point of Sale (POS) terminals across Australia, triggering a multi-year technological overhaul. The Australian Competition and Consumer Commission (ACCC) granted AusPayNet an 8-year authorisation in 2021 to work collaboratively on an industry migration framework for these cryptography upgrades.
Implications of the Update on POS Hardware
The updated standard will require the upgrading or replacement of over a million terminals and 25,000 ATMs, along with the associated network infrastructure and transaction processing systems. Card acquirers, such as banks, will have to take responsibility for managing the technical uplift of POS hardware for their merchants.
AusPayNet is allowing TDES and AES terminals to “coexist” on the network, subject to strict sunset rules. This policy allows merchants to replace their terminals in line with lease expiry and other equipment upgrades, without abruptly discarding functional terminals. However, once an older terminal model’s regulatory security approval expires, it must be decommissioned.
Understanding the New AS2805 Series
The updated AS2805 standard was published in three parts: AS2805.2, AS2805.6.9, and AS2805.9. These parts define the Australian-specific variant of ISO 8583:1987, specify the use of key blocks for AES session key exchange, and define a method for protecting payment message confidentiality.
Card acquirers and banks need to actively monitor their equipment utilising the legacy TDES encryption standards and identify the number of POS terminals that require upgrades. They also need to understand how the updated standards will impact their ATMs.
Security Expectations and Cyber Threats
While the Australian Prudential Regulation Authority (APRA) does not directly manage the technical details of the EFTPOS-related standards, it sets overarching risk and security expectations for financial institutions. In a letter issued on 30 April 2026, APRA reminded all its regulated entities of the urgent need to improve their board literacy and governance in response to escalating cyber threats and new attack vectors.
In conclusion, the updated AS2805 standard signifies a crucial step towards enhancing Australia’s electronic funds transfer systems’ security. The shift from TDES to AES for data encryption is expected to provide robust protection against cryptanalysis and other security threats.
Source link: Here
