Navigating Quantum Uncertainty in the Payments Industry: A Guide to NIST Recommendations and Post-Quantum Cryptography
The need for organisations to protect themselves against quantum threats to cybersecurity is becoming increasingly important as quantum-computing technology advances. Quantum computers have the potential to break many of the encryption techniques currently used to secure data, and this poses a significant risk to organisations in the payments industry.
Understanding Quantum Threats in the Payments Industry
While quantum computers are still in the early stages of development in terms of both hardware and software, it is anticipated that if development continues at its current pace, it will be a real threat to organisations five to ten years from now.
While this may seem a long way off, the vulnerability of today’s payment infrastructure is greatly exposed to quantum supremacy, and it is imperative that financial institutions take steps now to protect themselves and their customers. “While ten years might seem very far in the future,” says Costas Valakas, Stanchion’s Senior Solutions Consultant, “the reality is that there are malicious individuals and groups that are currently actively harvesting sensitive encrypted information that they could decrypt later, when quantum computers have matured enough.”
The main reason why quantum computers pose such an immense security threat to organisations in the payments industry is because, when fully realised, they have the potential to crack widely used encryption algorithms, such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), which are the foundation of secure online transaction and data protection, by making use of Shor’s algorithm.
“Additionally, quantum computing can be a considerable threat for symmetric key cryptography,” explains Valakas. “By utilising Grover’s algorithm, a quantum application could potentially ‘guess’ the symmetric encryption key by brute-force attacks far faster than the classical algorithms.”
Stanchion’s Group Information Security Officer, Chris Wooding, says the negative impact on the payments industry will be widespread, resulting in corroded customer trust, expanded regulatory compliance requirements, pressure on resource allocation and increased insurance costs. “Organisations that are quick to adapt and implement quantum-resistant security measures will gain a competitive advantage by assuring their customers that their data is safe,” says Wooding. “On the other hand, organisations that lag behind in adopting these measures stand to lose market share and, in some cases, could even face threats to their ongoing existence.”
Demystifying NIST Guidelines
The US government’s National Institute of Standards and Technologies (NIST) is responsible for assessing the risks of quantum computing and standardising quantum-resistant cryptographic algorithms. NIST stresses that all organisations should prepare for potential future attacks by cryptanalytically relevant quantum computers by assessing the risks within their systems and creating quantum-readiness roadmaps. NIST strongly recommends that all organisations employ post-quantum cryptography (PQC) algorithms as soon as they are formalised next year (2024) to immediately protect their data that will need protection in the future.
“This is very important as hackers today can already be harvesting data that they will be able to decrypt as soon as quantum technology allows,” says Valakas. “The risk of a future quantum attack breaking secure communications and decrypting sensitive information would be disastrous for an organisation, especially a financial institution and could lead to its demise.”
Moving to post-quantum encryption standards is not a simple process, and to facilitate this, NIST is laying out specific guidelines for organisations, including those in the payments industry, to follow to ensure readiness by around 2030. First off, organisations need to establish a project management team to plan and define the organisation’s migration to PQC. “Once this is established, the relevant teams must identify the organisation’s reliance on quantum-vulnerable cryptography and create an inventory of the applicable systems and areas,” says Valakas. “This inventory will enable organisations to kick off the risk assessment process and prioritise the most critical areas.”
For the next stage, organisations, with the assistance of their product vendors and technical consultants should create their readiness roadmap – this would include the migration of the identified areas and the provision of updated software versions where applicable.
Payments Industry Challenges and Preparing for the Future
For the payments industry, the most sensitive information is that defined by the PCI-DSS and GDPR regulations, such as card numbers and personal data – for example, names, phone numbers and physical addresses. In most cases, this information must be kept in storage for a long period of time, which makes it even more challenging to protect from future quantum cyber-attacks. All modern payment channels rely heavily on TLS (Transport Layer Security) protection, and increasingly, the communication is performed over open Internet.
“Quantum-sensitive areas within a financial institution can be numerous and sometimes hard to identify,” says Valakas. “And to make matters worse, a potential quantum attack will greatly compromise the organisation’s security at a large scale, while today these types of attacks are limited to a certain area of the organisation and are usually caused by corrupt individuals from within the organisation.” He warns that a large-scale exposure of financial data would be devastating for a payment service provider and could even lead to its operational “death”.
While most of the largest financial institutions already have teams in place that include quantum computing experts to plan and implement safeguards, Wooding and Valakas stress that small and medium payments industry players need to familiarise themselves with the NIST’s recommendations and take steps to implement them.
“Meeting PQC standards is complex and poses transition challenges,” says Wooding. “It requires significant investment in research, development and infrastructure. Organisations need to carefully plan now and execute the transition to ensure uninterrupted payment services.”
Finding the right partner
As Valakas points out, one of the key challenges for the payments industry relates to product vendors and third-party risks. “A financial institution makes massive use of third-party products, which may be the most critical ones, such as payment switch and payment gateway.” He says organisations need to contact the relevant product vendors as soon as possible and ask for the product’s roadmap, as far as quantum readiness is concerned, and plan accordingly.
“If the product vendor does not provide an adequate roadmap, the organisation should at least consult other external partners for advice on product-hardening workarounds. There are many solutions out there – for example Stanchion’s Verto platform – that can ‘modernise’ legacy payment systems,” says Valakas.
As a leading global PayTech solution provider, Stanchion has an extensive network of subject matter experts in the payments industry spread across its offices on five continents that have recently been involved with PQC case studies. Stanchion’s Verto solution accelerates payments innovation by combining frameworks, toolkits, building blocks and accelerators to specifically meet future-facing companies’ needs, including helping them prepare for quantum threats.
“Stanchion is actively watching the evolution of quantum computing and its impact on the financial sector and is plannig Verto’s roadmap to make it quantum ready,” says Valakas, who will be attending the Quantum.Tech conference in the UK this month, where quantum leaders from the full ecosystem will gather to learn, network and discuss quantum computing and its impact going forward. Verto can be used as a legacy system wrapper and modernise such a system. After NIST’s PQC standards release, Stanchion will closely monitor their performance and community acceptance, ultimately selecting the most suitable standard for implementation in Verto. This will enable Stanchion to offer the highest level of security to the payment system.
As Wooding points out, quantum threats represent a long-term challenge for the payments industry, and organisations need to find the right partner to help them take proactive steps to protect their systems and customer data in a post-quantum world. To mitigate the potential impact, payments industry players need to stay informed, invest in research, plan for transition, educate staff and – most importantly – review vendor relationships to assess the security measures of third-party vendors and make sure they are quantum ready.
“Stanchion has committed to being an early adopter of quantum-ready computing and is focused on transitioning to a quantum-ready Verto platform,” says Wooding. “Stanchion believes that by allowing our customers to extend their payments transformation journey into a post-quantum world, we will reduce their risks levels and investment requirements, allowing them to focus on their core business.”
