The National Cyber Security Centre (NCSC) has warned that while collecting and storing vast amounts of data for years is costly, the arrival of quantum computers in the next decade could make such efforts valuable for hackers. “Given the cost of storing vast amounts of old data for decades, such an attack is only likely to be worthwhile for very high-value information,” the NCSC stated.
To this, Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology, highlighted that “Certainly there’s some data that’s time-sensitive, like a ship transporting weapons to a sanctioned country, probably in eight years we don’t care about that anymore”. Similarly, when you make an online payment, the card data is transmitted, and banks approve or reject the transaction almost instantly. Even if someone records this data now, it wouldn’t be valuable later because the transaction is processed immediately.
This limits the risk of a “Harvest now, decrypt later” attack. However, for in-person payments using chip-and-PIN, sometimes the terminal doesn’t connect to the bank in real time (e.g., on airplanes or in remote areas). These rely on the card’s own authentication, which uses RSA/ECC. In the future, quantum computers could forge this authentication, making it possible to bypass security without bank approval.
Considering the importance of sensitive data, financial sector must take the lead in adopting post-quantum cryptography, as the stakes are exceptionally high, a successful quantum-enabled cyberattack could compromise trillions of dollars in assets, disrupt markets, compromised card payment or PCI data. In finance industry, security upgrades take years. Cards, terminals, and backend systems must all change simultaneously, a process that can’t be done overnight.
Understanding existing banking protocols
Most card transactions worldwide rely on the EMV standard, which covers nearly 90% of in-person payments made with cards. This standard uses asymmetric cryptography (RSA) to authenticate cards and symmetric cryptography to generate transaction certificates, ensuring the transaction is secure.
EMV cards use three main authentication methods. Static Data Authentication (SDA) allows a card to send signed static data to prove authenticity but is vulnerable to cloning. Dynamic Data Authentication (DDA) improves security by having the card sign a challenge during a transaction, though it still leaves later transaction steps less protected. Combined Data Authentication (CDA) strengthens this process by adding further signing, making it the most secure method currently used. Offline transactions, where no live internet verification is possible, depend heavily on these authentication methods secured by public key cryptography, which is a potential risk as quantum computers could eventually forge these cryptographic protections.
To future-proof these systems, researchers have tested Post-Quantum (PQ) Cryptography, which uses new encryption techniques designed to withstand attacks from quantum computers.
Real World Testing of PQ security
In real-world testing, NIST researchers aimed to protect card payments from future quantum computer threats by enhancing existing EMV payment protocols. They modified two standard protocols to incorporate Post-Quantum (PQ) cryptographic algorithms, which are advanced encryption methods designed to withstand quantum attacks. To ensure a smooth transition and continued usability, these new protocols were designed to work in a hybrid mode, combining existing RSA/ECC encryption with PQ algorithms. This approach maintains backward compatibility, allowing older cards and payment terminals to function without disruption during the transition to PQC.
The updated protocols were implemented on physical banking smart cards equipped with chips, and researchers tested their performance during live payment transactions. They measured critical factors such as the memory required on the card, transaction processing time, and additional communication overhead introduced by PQ encryption.
The card and terminal first establish a shared secret key via PQ algorithms. Then they use symmetric encryption (fast) for PIN verification and transaction certificates. Hybrid mode signs and encrypt data both with RSA/ECC and PQ algorithms. This dual protection ensures that even if PQ cryptography faces unforeseen reliability issues, card transactions remain secure and functional.
Challenges found
Researchers encountered several challenges during the testing of quantum-safe payment cards.
One of the biggest issues is that Post Quantum cryptography requires much larger keys and digital signatures compared to current encryption methods. This results in slower transaction times and significantly higher memory usage on banking smart cards.
Another major limitation is hardware. Existing cards and payment terminals have restricted storage capacity and processing power, making it difficult for them to handle PQ algorithms efficiently. Replacing or upgrading this hardware is a complex task, especially given the scale of the global banking system. With billions of cards and payment terminals in use worldwide, banks cannot switch to PQ-ready systems overnight.
Despite these hurdles, the research confirmed that it is technically feasible to secure payment cards against quantum attacks using PQ cryptography. However, performance bottlenecks and hardware constraints remain significant obstacles. The findings highlight the urgency of beginning hardware preparation and upgrades now, ensuring that the financial industry is ready before quantum computers become advanced enough to break current RSA and ECC cryptographic systems.
Preparing for PQC
Following roadmap created in partnership with the Department of Homeland Security (DHS) and NIST (National Institute of Standards and Technology) to guide organizations in preparing for Post-Quantum Cryptography (PQC). It highlights the need to transition from current cryptographic methods (like RSA/ECC) to quantum-resistant algorithms before quantum computers become powerful enough to break existing encryption.
-
Engagement with Standards Organizations
Organizations are advised to direct their key stakeholders to increase their engagement with standards developing organizations, such as NIST, PCI-DSS for latest developments relating to necessary algorithm and dependent protocol changes.
-
Inventory of Critical Data
Every organization holds some data that, if decrypted in the future, could cause serious harm. This includes sensitive personal information (cryptography is used across their infrastructure. This includes listing all software, hardware, and applications relying on encryption. Once this inventory is complete, teams can evaluate which cryptographic methods are vulnerable to quantum attacks and estimate the costs and effort required to replace them with quantum-safe alternatives. Without this step, organizations risk overlooking hidden vulnerabilities.
-
Identification of Internal Standards
Internal cryptographic standards and policies, define how an organization manages encryption, purchases technology, and maintains data protection policies. These rules were built around current encryption methods like RSA and ECC. With the shift to post-quantum cryptography, these internal standards will need updating to align with future security requirements. This means revising cryptographic controls, policies, standards, SLA’s , and internal compliance measures to ensure that, when PQC is implemented, it’s fully supported within organizational processes.
-
Identification of Public Key Cryptography
From the inventory, organizations should identify where and for what purpose public key cryptography is being used and assess which systems are most vulnerable to quantum threats.
-
Prioritization of Systems for Replacement
Not every system needs to be upgraded immediately, so prioritization is crucial. Prioritizing one system over another for cryptographic transition is highly dependent on organization functions, goals, and needs. To supplement prioritization efforts, organizations should consider the following factors when evaluating a quantum vulnerable system:
- Is the system a high value asset based on organizational requirements?
- What is the system protecting (e.g., key stores, passwords, root keys, signing keys, personally identifiable information, sensitive personally identifiable information)?
- What other systems does the system communicate with?
- To what extent does the system share information with federal entities?
- To what extent does the system share information with other entities outside of your organization?
- Does the system support a critical infrastructure sector?
- How long does the data need to be protected?
-
Plan for Transition
Using the inventory and prioritization information, organizations should develop a strategy for systems transitions upon publication of the new post-quantum cryptographic standard. Transition plans should consider creating cryptographic agility to facilitate future adjustments and enable flexibility in case of unexpected changes. Cybersecurity officials should provide guidance for creating transition plans.
Current estimate of the amount of funding required
Federal agencies, working with the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD), in collaboration with CISA and NIST, are taking structured steps to secure U.S. Government information technology against future quantum computing threats. The effort centers on three main activities.
- Developing an initial inventory of cryptographic systems present on agency information systems (other than national security systems (NSS));
- Developing cost estimates for the transition; and
- Developing prioritization criteria for the transition.
Each year, agencies must submit to OMB and ONCD an updated inventory detailing quantum-vulnerable cryptography on their prioritized systems along with migration cost estimates. Based on the latest data, ONCD projects that the total cost for transitioning prioritized federal systems to PQC between 2025 and 2035 will reach approximately $7.1 billion (in 2024 dollars). Meanwhile, the Department of Defense, the Office of the Director of National Intelligence, and the National Manager for NSS are separately estimating funding needs to migrate classified and defense systems.
These early projections carry a high degree of uncertainty, as agencies are still refining their inventories and cost models. The estimates are currently a rough order of magnitude, not exact calculations. Agencies will continue to revise these numbers annually as they gain experience and improve their methodologies.
A significant challenge identified is that some federal systems cannot easily adopt new cryptographic algorithms because they are hardwired in hardware or firmware or lack the capacity to handle replacements. Replacing these systems entirely contributes substantially to the overall projected cost of migration.
How can Encryption Consulting support PQC transition?
If you are wondering where and how to begin your post-quantum journey, Encryption Consulting is here to support you. You can count on us as your trusted partner, and we will guide you through every step with clarity, confidence, and real-world expertise.
Cryptographic Discovery and Inventory
This is the foundational phase where we build visibility into your existing cryptographic infrastructure. We identify which systems are at risk from quantum threats and assess how ready your current setup is, including your PKI, HSMs, and applications. The goal is to identify what cryptographic assets exist, where they are used, and how critical they are. Comprehensive scanning of certificates, cryptographic keys, algorithms, libraries, and protocols across your IT environment, including endpoints, applications, APIs, network devices, databases, and embedded systems.
Identification of all systems (on-prem, cloud, hybrid) utilizing cryptography, such as authentication servers, HSMs, load balancers, VPNs, and more. Gathering key metadata like algorithm types, key sizes, expiration dates, issuance sources, and certificate chains. Building a detailed inventory database of all cryptographic components to serve as the baseline for risk assessment and planning.
PQC Assessment
Once visibility is established, we conduct interviews with key stakeholders to assess the cryptographic landscape for quantum vulnerability and evaluate how prepared your environment is for PQC transition. Analyzing cryptographic elements for exposure to quantum threats, particularly those relying on RSA, ECC, and other soon-to-be-broken algorithms. Reviewing how Public Key Infrastructure and Hardware Security Modules are configured, and whether they support post-quantum algorithm integration. Analyzing applications for hardcoded cryptographic dependencies and identifying those requiring refactoring. Delivering a detailed report with an inventory of vulnerable cryptographic assets, risk severity ratings, and prioritization for migration.
PQC Strategy & Roadmap
With risks identified, we work with you to develop a custom, phased migration strategy that aligns with your business, technical, and regulatory requirements. Creating a tailored PQC adoption strategy that reflects your risk appetite, industry best practices, and future-proofing needs. Designing systems and workflows to support easy switching of cryptographic algorithms as standards evolve. Updating security policies, key management procedures, and internal compliance rules to align with NIST and NSA (CNSA 2.0) recommendations. Crafting a step-by-step migration roadmap with short-, medium-, and long-term goals, broken down into manageable phases such as pilot, hybrid deployment, and full implementation.
Vendor Evaluation & Proof of Concept
At this stage, we help you identify and test the right tools, technologies, and partners that can support your post-quantum goals. Helping you define technical and business requirements for RFIs/RFPs, including algorithm support, integration compatibility, performance, and vendor maturity. Identifying top vendors offering PQC-capable PKI, key management, and cryptographic solutions. Running PoC tests in isolated environments to evaluate performance, ease of integration, and overall fit for your use cases. Delivering a vendor comparison matrix and recommendation report based on real-world PoC findings.
Pilot Testing & Scaling
Before full implementation, we validate everything through controlled pilots to ensure real-world viability and minimize business disruption. Testing the new cryptographic models in a sandbox or non-production environment, typically for one or two applications. Validating interoperability with existing systems, third-party dependencies, and legacy components. Gathering feedback from IT teams, security architects, and business units to fine-tune the plan. Once everything is tested successfully, we support a smooth, scalable rollout, replacing legacy cryptographic algorithms step by step, minimizing disruption, and ensuring systems remain secure and compliant. We continue to monitor performance and provide ongoing optimization to keep your quantum defense strong, efficient, and future-ready.
PQC Implementation
Once the plan is in place, it is time to put it into action. This is the final stage where we execute the full-scale migration, integrating PQC into your live environment while ensuring compliance and continuity. Implementing hybrid models that combine classical and quantum-safe algorithms to maintain backward compatibility during transition. Rolling out PQC support across your PKI, applications, infrastructure, cloud services, and APIs. Providing hands-on training for your teams along with detailed technical documentation for ongoing maintenance. Setting up monitoring systems and lifecycle management processes to track cryptographic health, detect anomalies, and support future upgrades.
Transitioning to quantum-safe cryptography is a big step, but you do not have to take it alone. With Encryption Consulting by your side, you will have the right guidance and expertise needed to build resilient, future-ready security posture.
Reach out to us at [email protected] and let us build a customized roadmap that aligns with your organization’s specific needs.
Conclusion
In conclusion, the transition to Post-Quantum Cryptography is becoming critical for the financial sector as future quantum computers could break current encryption methods that secure card payments, banking systems, and digital transactions. Research has already shown it is technically feasible to build quantum-resistant payment protocols, but challenges such as larger cryptographic keys, slower processing speeds, and costly hardware upgrades remain. Preparing early, by inventorying systems, testing hybrid encryption models, and aligning with upcoming NIST standards, will be essential to protect sensitive financial data and ensure uninterrupted trust in global payment networks when quantum computing becomes a reality.
