Siva – Jack of All Trades, Master of Some
Siva – Jack of All Trades, Master of Some
Problem Solver
⌘K
Subscribe Sign in
Siva – Jack of All Trades, Master of Some
Quantum Computing

The Cryptography Behind Your Card Tap Has an Expiration Date

62% of payment professionals worry about quantum threats. Only 5% have a plan. The data encrypted today could be decrypted before 2056.
Post-quantum payments security: 62% worry, 5% ready

I used to think quantum-safe payments were a 2035 problem. Then I learned about Harvest Now, Decrypt Later.

The idea is simple. Someone collects your encrypted financial data today, stores it, and waits for a quantum computer powerful enough to read it. If that data needs to stay confidential for 30 years, and a quantum computer arrives in 15, the encryption protecting it is already broken. The clock started before the computer exists.

This is not about predicting when quantum computers arrive. It is about understanding what your payment infrastructure actually relies on, where the gaps are, and what migration looks like when the constraints are physical hardware and message format limits rather than software patches.

What happens when you tap your card

Diagram 1

A card tap feels instant. Underneath, it triggers a chain of cryptographic operations that most people in payments never think about. Here is what actually happens.

Your card has a small chip on it. That chip (called an EMV chip, named after Europay, Mastercard, and Visa, the three networks that originally developed the standard) generates a one-time code for every transaction. This code, called an application cryptogram, proves the card is physically present and genuine. The chip creates it using symmetric encryption, a type of encryption where both the card and the bank share the same secret key. The two algorithms used for this are 3DES and AES. Think of symmetric encryption like a padlock: both sides have the same key, so either side can lock or unlock.

Next, the card terminal needs to send this code to your bank. It opens an encrypted connection to the merchant's bank (the acquirer) using TLS, the same protocol that puts the padlock icon in your browser. During the TLS handshake, the terminal and the acquirer agree on a shared secret using asymmetric encryption. Unlike symmetric encryption, asymmetric encryption uses two keys: a public key that anyone can use to encrypt, and a private key that only the owner uses to decrypt. The two algorithms most commonly used for this are RSA (invented in 1977, based on the difficulty of factoring large numbers) and ECC (Elliptic Curve Cryptography, which achieves the same security with smaller keys). This is the first quantum-vulnerable step.

The acquirer forwards the authorization request to the card network (Visa, Mastercard, etc.), which attaches a MAC, a Message Authentication Code, to verify that nobody tampered with the data in transit. The network then routes the message to your bank (the issuer) over another TLS connection.

At the issuer, a specialized piece of hardware called an HSM (Hardware Security Module) verifies the card's cryptogram and your PIN. HSMs are tamper-resistant devices designed to perform cryptographic operations without ever exposing the keys they hold. They are the reason a bank can verify your PIN without ever actually storing your PIN anywhere.

The authorization response travels back through the same chain. Later, during settlement, the batch of transactions is signed using RSA-2048 digital signatures before being submitted to the settlement system.

A single card tap touches at least five separate cryptographic operations. Most of them rely on asymmetric encryption, and that is where the quantum problem lives.

Why quantum changes the math

Diagram 2

Asymmetric encryption (RSA, ECC) works because certain math problems are extremely hard for today's computers. Factoring a 2048-digit number, for example, would take a classical computer longer than the age of the universe. A quantum computer running a specific algorithm called Shor's algorithm could do it in hours.

Quantum computers threaten payment cryptography in two distinct ways.

The first threat is to encryption itself. If someone is collecting encrypted financial data today, they can store it and decrypt it later when quantum hardware catches up. This is called Harvest Now, Decrypt Later, and it is an active threat right now, not a future one. The data is already being collected. SWIFT messages between banks must be retained for 30 or more years. Mortgage contracts span 25 years. Settlement records are kept for 20 or more years. Any of this data encrypted today could be readable within its retention window.

The second threat is to authentication. Digital signatures prove who authorized a transaction. A quantum computer could forge these signatures retroactively. The G7 Quantum Technologies Working Group calls this "Trust Now, Forge Later." Tokenized assets, digital identity frameworks, and distributed ledger settlement systems all depend on signatures remaining unforgeable for the entire life of the instrument. A signature created today on a 30-year bond could be forged before the bond expires.

The G7 report, published May 2026 by seven central banks, states it plainly: "The threat is already active regardless of when a CRQC actually arrives." CRQC stands for cryptographically relevant quantum computer, meaning one powerful enough to break the cryptography in widespread use today.

The clock started before the computer exists.

How close is the quantum hardware?

Diagram 3

The honest answer has two parts, and they point in different directions.

First, the theoretical threat is closer than it was. In May 2025, Craig Gidney at Google Quantum AI published a paper showing that breaking RSA-2048 would require fewer than one million noisy qubits. A qubit is the basic unit of quantum computation, analogous to a classical bit but capable of representing 0 and 1 simultaneously. The "noisy" qualifier matters because real qubits are error-prone and need many physical qubits to create one reliable "logical" qubit. The previous estimate from 2019 was 20 million qubits. That is a 20x reduction through algorithmic improvements alone, not hardware progress. A Global Risk Institute survey of quantum computing experts in 2024 found that 27% expect a CRQC within 10 years, and 50% within 15 years.

Second, the hardware has not scaled as predicted. The largest number successfully factored by a quantum computer is 15. IBM's roadmap targets 100,000+ qubits by 2033, but today's most advanced processors are in the low hundreds. The gap between theoretical capability and engineered hardware remains large.

The framing that matters is not "when is Q-Day?" The framing is: what is the cost of being wrong? Being early costs money and engineering effort. Being late costs the confidentiality of every financial message collected during the gap. That is an asymmetric risk.

You do not need to believe Q-Day is 2030 to act today. You need to believe that data encrypted in 2026 could be decrypted before 2056. Given that SWIFT retains messages for 30 or more years, the math already works against you.

The replacement algorithms exist. The payment rails do not support them.

Diagram 4

After an 8-year standardization process, NIST (the U.S. National Institute of Standards and Technology) finalized three post-quantum cryptography standards in August 2024:

  • FIPS 203 (ML-KEM) handles key encapsulation, which is the process of securely exchanging encryption keys between two parties. The "ML" stands for Module-Lattice, a mathematical structure based on high-dimensional grids that are hard to solve even for quantum computers. ML-KEM replaces RSA and ECC key exchange.
  • FIPS 204 (ML-DSA) handles digital signatures, which prove authenticity and integrity. It replaces RSA and ECDSA signatures using the same lattice-based math.
  • FIPS 205 (SLH-DSA) is a backup signature standard that uses hash functions (a different mathematical approach) rather than lattices, providing diversity in case a weakness is ever found in lattice-based methods.

The algorithms exist. The infrastructure to run them on payment rails does not.

Some layers are straightforward. TLS key exchange is already migrating. Cloudflare reported in October 2025 that more than half of human-initiated traffic through its network uses post-quantum encryption. It does this with a hybrid approach, combining the traditional X25519 key exchange with ML-KEM-768 so that if either algorithm is broken, the other still protects the connection. Chrome has supported ML-KEM key agreement since version 124. If your payment API runs behind a CDN, the transport layer may already be partially quantum-safe without you doing anything.

Other layers are hard. This is where the payment-specific constraints appear.

ML-DSA-44, the smallest NIST signature standard, produces signatures of 2,420 bytes. An ECDSA signature (the current standard) is 64 bytes. That is a 37.8x increase in size. Now consider ISO 8583, the message format that carries card payment authorization data between acquirers and issuers. It has been the backbone of card payment messaging since the 1980s. Its authentication data field is capped at roughly 256 bytes. A 2,420-byte signature does not fit in a 256-byte field. Payment message formats were designed in an era when bandwidth was expensive and every byte mattered. Redesigning them to accommodate signatures 38 times larger is not a configuration change. It is a protocol redesign.

BIS Project Leap Phase 2, which tested PQC-signed liquidity transfers through TARGET2 (a European real-time gross settlement system processing EUR 2 trillion daily), found that signature verification took 209.9ms with PQC versus 28.1ms with RSA. That is a 7.5x slowdown. In a settlement system processing trillions, every millisecond of latency has cascading effects on throughput and liquidity management.

The researchers also discovered something unexpected. A valid PQC-signed message could not complete settlement because the digital certificate was missing from TARGET2's static reference data. PKI, or Public Key Infrastructure, is the system that distributes, stores, and validates digital certificates. Think of it as the passport office for digital identities. The "cryptography problem" turned out to be a PKI and reference data problem. PQC migration requires an entire parallel certificate infrastructure, not just swapping one algorithm for another.

What does migration actually look like?

Diagram 5

The G7 CEG published a phased PQC migration roadmap in January 2026: awareness by 2027, inventory by 2028, critical system migration by 2030, and full transition by 2035. NIST's own timeline says 112-bit cryptography (which includes RSA-2048 and ECC P-256, the algorithms protecting most card payments today) will be deprecated by 2030 and fully disallowed by 2035.

SWIFT is targeting SwiftNet 8.0 for 2027 with a 15-month migration window. JPMorgan has built a quantum-secured crypto-agile network, meaning their infrastructure is designed to swap cryptographic algorithms quickly as standards evolve. MAS and Banque de France ran a joint cross-border PQC experiment in 2024. Mastercard published a whitepaper on PQC migration in October 2025, co-authored with NTU Singapore and PQStation.

But here is the readiness gap. An ISACA survey of 2,600 or more professionals in 2025 found that 62% worry about quantum threats to current encryption. Only 5% have a defined PQC strategy. Only 5% have implemented any quantum-safe encryption. A DigiCert survey in May 2025 found the same 5% figure. Forty-one percent of organizations do not plan to address quantum computing at all.

Regulators are ready. Infrastructure is partially ready. Enterprises are not.

The constraints are physical, not just software. EMV chip cards have 10-year lifecycles and cannot be remotely updated. The chip literally needs to be replaced. HSMs require FIPS 140-3 Level 3 certification for payment processing. FIPS 140-3 is a U.S. government standard that validates that cryptographic hardware meets specific security requirements. Level 3 is the highest commonly required level for payment processing, mandating physical tamper-resistance and identity-based authentication. As of early 2026, no HSM vendor has completed PQC validation. The certification pipeline alone could take 2 to 3 years.

Running hybrid crypto (old and new algorithms side by side) during the transition sounds reasonable in theory. But BIS Project Leap discovered that hybrid operation "was not envisaged in the original cryptographic design" and requires "substantial evolution of the system." The systems were built assuming one algorithm per operation. Supporting two simultaneously means re-architecting message flows, validation logic, and error handling across every participant in the chain.

The historical precedent is sobering. EMV chip migration, from specification to global ubiquity, took roughly 20 years. PQC migration affects every cryptographic operation in the payment stack, not just card-present transactions. The White House estimates $7.1 billion to migrate U.S. civilian systems alone (July 2024), excluding the Department of Defense.

Who has actually done it?

BIS Project Leap Phase 2 (December 2025). Three central banks (Bank of Italy, Banque de France, Deutsche Bundesbank) tested PQC-signed liquidity transfers through TARGET2 and other CPMI settlement systems. Every test passed. The transfers flowed correctly. But the performance penalty (7.5x slower verification), the signature size overflow in message buffers, and the missing PKI reference data revealed that feasibility and production-readiness are different things. Getting the math right is not the same as getting the system to work.

MAS Advisory Circular (February 2024). MAS/TCRS/2024/01, addressed to CEOs of all Singapore financial institutions, recommended cryptographic asset inventorying, vendor evaluation for quantum risk, staff competency development, and proof-of-concept trials. Singapore's CSA also published a Quantum Readiness Index in October 2025.

MAS QKD Sandbox (September 2025). MAS partnered with DBS, HSBC, OCBC, UOB, SPTel, and SpeQtral on a quantum key distribution (QKD) proof-of-concept. QKD uses the physics of quantum mechanics to distribute encryption keys in a way that detects eavesdropping. The findings: QKD can secure data center connections, but tamper-resistant standards need strengthening, and interoperability between QKD vendors is still lacking.

JPMorgan (2024). Established a quantum-secured crypto-agile network designed to allow rapid algorithm swaps as standards evolve. Global CIO Lori Beer described a dual strategy incorporating both PQC and QKD.

Mastercard (October 2025). Published a whitepaper examining HNDL attacks on card payments, comparing PQC and QKD approaches. Key finding: cryptographic inventory is the immediate priority. Mastercard Enhanced Contactless (Ecos) uses AES symmetric encryption for quantum resistance, not asymmetric PQC. Symmetric algorithms like AES are less affected by quantum computing. Grover's algorithm (a quantum algorithm for searching unsorted databases) halves the effective key strength, so AES-256 still provides 128-bit security, which remains safe.

What should you do?

1. Run a cryptographic inventory. Map every algorithm in your payment stack: TLS versions, key exchange methods, signature algorithms, symmetric ciphers, HSM firmware versions. You cannot migrate what you have not found. NIST IR 8547 (November 2024) specifies which algorithms will be deprecated and when.

2. Prioritize by data lifetime. Data that must remain confidential for decades (settlement records, mortgage files, SWIFT messages) carries the highest HNDL risk. Short-lived transaction data that is processed and discarded is lower priority.

3. Pilot hybrid TLS. X25519+ML-KEM-768 is already supported by Chrome, Firefox, and Cloudflare. Start with non-production environments. The transport layer is the easiest piece of the migration.

4. Track SWIFT 8.0. The 15-month migration window means decisions need to happen in 2026. If your institution uses SWIFT, this is the most concrete deadline on the calendar.

5. Budget for HSM replacement. FIPS 140-3 PQC validation is on the critical path for payment processing. No vendor has completed it yet. When they do, certification and deployment will take additional years.

6. Watch MAS guidance. If you operate in Singapore, MAS has already directed financial institutions to begin quantum risk assessment. The advisory circular is not optional.

The cost of being early is money and engineering time. The cost of being late is the confidentiality of every financial message collected during the gap. The risk is asymmetric. Start with the inventory.