Preparing for quantum computing: Implications for payment security

The financial services industry is on the cusp of a technological transformation. Quantum computing, long the preserve of theoretical physics and laboratory prototypes, is edging closer to practical application.

Preparing for quantum computing

Its arrival promises extraordinary breakthroughs in optimisation, simulation, and data analysis. Yet for the payments industry, the technology is as much a threat as it is an opportunity.

Quantum machines could break the very cryptographic standards that underpin today’s digital economy. Payment systems, e-commerce platforms and card networks all depend on encryption to secure transactions and protect consumer data.

If quantum computers reach the necessary scale, these foundations risk collapse. Preparing for this “Q-Day”—the moment quantum machines can crack classical encryption—has therefore become one of the most urgent challenges in cybersecurity.

Understanding the Quantum Leap

At the heart of the quantum revolution are qubits. Unlike classical bits, which represent either a zero or a one, qubits can exist in superposition—representing multiple states simultaneously. They can also be entangled, meaning the state of one qubit is instantly connected to another, even across distance.

This allows quantum computers to process vast amounts of information in parallel, performing calculations that would take classical systems millions of years. In payments, such power could be deployed positively—for example, optimising payment routing in real time, or detecting fraud by analysing patterns across petabytes of transactional data.

But the same capability threatens existing cryptography. Shor’s algorithm, a quantum technique first outlined in 1994, can factor large numbers exponentially faster than classical algorithms.

The RSA public-key system, which secures much of today’s internet traffic, relies on the practical impossibility of factoring numbers with thousands of digits. Shor’s algorithm makes this tractable.

Sufficiently powerful quantum computing could dismantle RSA-2048 encryption in minutes, a task that would take a classical computer longer than the age of the universe.

Current Standards at Risk

Public-key cryptographic systems—RSA and Elliptic Curve Cryptography (ECC)—are especially vulnerable. They are used in everything from card authorisation to SSL certificates on e-commerce websites. Should these be compromised, sensitive payment card data and login credentials could be exposed at scale.

Symmetric key algorithms such as the Advanced Encryption Standard (AES) are less directly threatened. Yet they too would be weakened. Grover’s algorithm, another quantum technique, reduces the effective strength of symmetric encryption by half. AES-256, considered robust today, could be reduced to AES-128 levels of protection—still formidable, but far less future-proof.

For payments, the implications are profound. Credit card numbers, transaction histories, user credentials and even central bank settlement systems could become readable to any party wielding a sufficiently advanced quantum machine. The trust underpinning global commerce would be at risk.

The Practical Implications for PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) provides the framework that enables secure handling of cardholder data. Compliance ensures that sensitive information is encrypted in transit and at rest.

As quantum computers advance, PCI DSS will need to evolve. Current requirements around encryption strength—based on the assumption that RSA and ECC are unbreakable within practical timescales—may no longer hold.

The PCI Security Standards Council is therefore expected to incorporate guidance on post-quantum cryptography into future versions of the standard.

Given that e-commerce now accounts for as much as 70–80% of card transactions globally, the urgency is evident. Without quantum-safe encryption, online commerce could become a hunting ground for attackers.

The Quantum Threat: “Harvest Now, Decrypt Later”

Although practical quantum computers remain some years away, the threat is already material. Cyber criminals may be stockpiling encrypted data now, with the intention of decrypting it once quantum capability arrives. This “harvest now, decrypt later” strategy means sensitive information could be compromised retrospectively, including payment data thought secure today.

As Sudeepta Das, chief technology officer at Cohesive Architecture, warns: “While Shor’s algorithm could potentially compromise RSA encryption, if such an event were to occur, it would put much of the internet at risk, as RSA-2048 safeguards payment systems and a wide range of other data.”

The concept of Q-Day therefore functions less as a prediction than a call to action. The industry must prepare now, before quantum machines achieve maturity.

Towards Quantum-Resistant Cryptography

Fortunately, the same innovation that threatens payments also points towards solutions. Researchers are developing cryptographic techniques thought to be resistant to quantum attacks.

• Lattice-based cryptography relies on the difficulty of solving geometric problems in high-dimensional spaces, which remain resistant to quantum shortcuts.
• Hash-based signatures build secure digital signatures from cryptographic hash functions, a family of algorithms less vulnerable to quantum algorithms.
• Multivariate and code-based systems provide further options for diversified protection.

The US National Institute of Standards and Technology (NIST) is leading the global effort to standardise post-quantum cryptography (PQC). In 2024 it announced finalists in its competition, including algorithms such as CRYSTALS-Dilithium and CRYSTALS-Kyber. These are expected to become benchmarks for post-quantum security, shaping industry adoption worldwide.

Hybrid approaches are also gaining traction. Combining classical and quantum-resistant algorithms allows institutions to protect data during the transition, ensuring backwards compatibility while future-proofing sensitive communications.

Early Experiments in Payments

Some regulators and central banks are already testing PQC in payment systems. In a joint experiment, the Banque de France (BDF) and the Monetary Authority of Singapore (MAS) successfully exchanged encrypted emails using post-quantum algorithms integrated into Microsoft Outlook.

By layering PQC with existing encryption, they demonstrated that quantum-safe protocols can function within today’s infrastructure.

MAS Deputy Managing Director Jacqueline Loh highlighted the broader significance: “Early preparations for quantum-safe measures will help financial institutions mitigate future risks and sustain public trust in digital finance.”

This kind of experimentation is essential. It provides proof that PQC can be deployed without overhauling entire systems, building confidence for industry-wide adoption.

Quantum Security in Payments: The Four-Corners Model

One way to understand vulnerabilities in payments is through the “four-corners model”. Every transaction involves four parties: the payer, the payee, and their respective financial institutions. Each corner represents a potential weak point. Quantum computers could target data in transit or at rest at any stage.

Unless each corner is protected by quantum-resistant encryption, attackers could exploit the weakest link. For multinational payment systems, this means ensuring interoperability and consistent standards across jurisdictions—no small challenge in an already complex landscape.

Opportunities Alongside Threats

It is easy to frame quantum computing as purely a risk. But for the payments industry, it also presents opportunities.

Quantum computing algorithms could improve fraud detection by identifying anomalies in real-time across enormous datasets. They could optimise liquidity management for banks, streamline cross-border settlement, and cut costs in reconciliation. In short, they could make payments faster, cheaper, and more secure—provided the cryptography issue is resolved.

The challenge, then, is dual: embracing the potential while mitigating the risks.

Preparing for Q-Day

For financial institutions, the path forward is becoming clear:

1. Audit current cryptographic infrastructure – Identify where RSA, ECC and other vulnerable algorithms are used.
2. Develop phased transition plans – Begin pilot projects using PQC, with hybrid models where necessary.
3. Engage with regulators and standards bodies – Align with NIST standards and PCI SSC guidance as they evolve.
4. Invest in training and education – Equip IT and security teams to manage post-quantum protocols.
5. Collaborate internationally – Cross-border payment systems will only be as strong as their weakest participant.

The transition will take years. Systems must be tested, validated, and integrated with legacy infrastructure. But waiting until quantum computers are operational is not an option. By then, it may be too late.

Timeline for Q-Day

The timeline for Q-Day is uncertain. Some estimates suggest 10–15 years, others much sooner. What is certain is that the race between cryptographers and quantum engineers has already begun.

As Luke Ibbetson of Vodafone has observed, NIST’s publication of new standards will be like firing a starting pistol: a signal for industries worldwide to accelerate adoption. Those who delay risk finding themselves vulnerable in a post-quantum world.

Quantum computing promises to reshape the payments industry, but its impact will depend on preparation. With proactive investment in post-quantum cryptography, collaboration across borders, and early adoption of standards, the sector can safeguard trust and stability. Without it, the foundations of digital commerce could be undermined overnight.

The message is clear: the time to prepare is now, before the quantum future becomes the quantum present.