Skip to main content

The Post-Quantum Era Demands Quantum-Safe Payments

Jan

30

2025

Time to read

Read so far

Written by: 

Jenn Markey

Time to read

Written by: 

Timelapse image of a street

A quantum computer encodes information as qubits and uses quantum mechanical properties to perform calculations on that data that are effectively impossible for today’s conventional computers. And much like artificial intelligence, quantum computing promises to revolutionize the payments industry, while also introducing significant cybersecurity risks.

The arrival of commercially viable quantum computers, sometimes referred to as Q-Day, marks the point when quantum computing will break current encryption methods safeguarding most of the internet. While this date is still a ways out, early quantum computers and “Harvest Now, Decrypt Later” style attacks that target long-life data, including financial records, already make us part of the post-quantum (PQ) era.

Quantum Computing: Set to Disrupt Payments

On the plus side, quantum computing offers the potential for substantial innovation in payments and finance around the globe. Its speed and efficiency offer tremendous promise for:

  • Financial risk management
  • Fraud detection and prevention
  • Anti-money laundering (AML) initiatives
  • Consumer behavior analytics
  • Payment network routing and algorithmic trading

Additionally, quantum algorithms have the potential to significantly improve portfolio allocation, asset pricing, and even central bank clearing. Thanks to their strong optimization capabilities, quantum computers promise better customer experiences and profitability for financial players.

However, quantum computing also poses an existential threat to the global financial system by breaking today’s public key cryptographic algorithms (RSA and ECC), which underpin secure movement of money and data transactions, leaving organizations, individuals, and economies vulnerable.

Post-Quantum Cryptography: The Path to Quantum-Safe Payments

Post-quantum cryptography (PQC) refers to new encryption algorithms designed to withstand attacks from quantum computers. In August 2024, NIST published the first three PQC standards, followed by the approval of 14 new digital signing algorithms for PQC standardization in October 2024. Migration to PQC is critical for securing payments and ensuring the global financial system and economy function smoothly.

The adoption of PQC by the payments industry is necessary to realize quantum-safe payments. This will help protect consumers, financial institutions, and payment networks from bad actors while also maintaining compliance with regulators around the globe. Waiting until Q-Day to begin PQC migration would be unwise – not only because the process will take years, but also because financial data, which often has a long lifecycle, is already being targeted by Harvest Now, Decrypt Later attacks.

PQC and Quantum-Safe Payment Preparedness

Financial institutions, central banks, and regulators around the globe are actively preparing for Q-Day with varying approaches globally:

  • G7 Cyber Expert Group: Chaired by the U.S. Treasury Department and the Bank of England, this group actively urges financial institutions to prepare for the quantum threat now. They recommend understanding the technology, assessing its risks, and developing specific risk mitigation strategies.
  • Quantum Leap Project: A collaboration between the Bank for International Settlements (BIS) and the French and German central banks to safeguard financial systems in the PQ era.
  • Emerging Payments Association Asia (EPAA): This association has formed an industry working group that includes HSBC, AP+, PayPal, and IBM to help define requirements, identify dependencies, use cases, and create a roadmap to implement post-quantum networking.

Applying the Four Corners Model to Quantum-Safe Payments

The four-corners model for payment security can be a useful tool to assess the quantum computing threat. This model provides a framework for secure payments by addressing vulnerabilities across:

  1. Payment Party Originator
  2. Originating Financial Institution
  3. Receiving Financial Institution
  4. Payment Party Recipient

Quantum computing not only threatens secure transactions across each corner in the model, but also the processing and storage of payment data at each corner. The Hudson Institute estimates a potential indirect loss to the U.S. financial system of between $2 trillion and $3.3 trillion if these threats aren’t addressed, as measured by GDP at risk.

A Blueprint for Quantum-Safe Payments

Quantum-safe payments should be considered as one critical outcome of the financial industry’s larger PQC migration journey. And while differences to PQC migration can be expected across jurisdictions, the following blueprint of global best practices for preparing for quantum-safe payments should be followed:

  • Start Now: CISA, NSA, and NIST urge organizations to prepare now, with other jurisdictions not far behind.
  • Designate a Lead: This helps ensure the orchestrated, organization-wide collection of cryptographic information related to payments and beyond.
  • Develop a Readiness Roadmap: Once a lead has been designated, CISA encourages organizations to establish a quantum readiness project team to plan and scope the transition to PQC including quantum-safe payments.
  • Perform a Cryptographic Inventory: With a clear roadmap in place, begin the following:
    • Proactively discover all cryptographic assets and systems, including the identification of those that are quantum vulnerable
    • Apply the four-corners model to assess vulnerabilities across payment workflows
    • Ensure your organization is crypto-agile to support future PQC implementations and visibility into your cryptographic assets (keys, certificates, etc.). This will likely be one of the more challenging and time-consuming tasks.
  • Engage Your Payment Ecosystem Partners: Ensure all payment ecosystem partners have a clear PQ-readiness roadmap of their own, including migration. This should include everything from new products having PQC built in, to legacy products having a timeline for PQC upgrades.

The quantum threat facing the payments industry is real and immediate. Don’t leave your organization unnecessarily exposed. Assess your organization’s PQ preparedness today with our self-assessment and explore our post-quantum cryptography solutions.

jenn-markey-headshot
Jenn Markey
Advisor, Entrust Cybersecurity Institute
Jenn Markey is a content advisor and thought leader with the Entrust Cybersecurity Institute. Her previous roles with Entrust include VP Product Marketing for the Payments and Identity portfolio and Director Product Marketing for the company’s Identity and Access Management (IAM) business. Jenn brings 25+ years of high tech product management, business development, and marketing experience to the Entrust Cybersecurity Institute with significant expertise in content development and curation.
View all of Jenn's Posts
Facebook