Quantum Computing – preparing for the impact on payment service providers

The advent of quantum computing has sparked concerns about the security of current encryption methods used in payment transactions. With their immense computational power, quantum computers possess the ability to accelerate decryption processes exponentially, rendering traditional encryption algorithms vulnerable to breaches.

While quantum computing technology was initially confined to research facilities, universities and tech giants, and often used in extreme conditions, recent developments have given rise to more accessible and cost-effective quantum computers, designed for practical applications. In Europe particularly, the scaled-down versions which have been developed over the past couple of years are geared more to the interests of users, which means they no longer require superconductivity close to absolute zero. While these units, which often work with just two to four qubits, may not match the prowess or power of their larger counterparts, their increasing availability and much lower price, heightens the risk of unintended data decryption, particularly in the realm of payment processing.

Payments demand high standards of security

Payment service providers (PSPs) deliver eCommerce and high street retailers with payment methods and transmit data to banks, credit card companies, and other participants in the payment transactions ecosystem. It is their responsibility to securely facilitate online and in-store payment transactions, and as an industry, they have long adhered to stringent security standards, such as the Payment Card Industry (PCI) standards and ISO 27001. PSPs submit to intense yearly certification to ensure security when processing sensitive information such as customer credit card data. In payment transactions, the asymmetric RSA encryption method, which uses a combination of public and private keys, is vulnerable to the immense computing power of quantum computers, potentially reducing decryption time from years to mere days. The risk of compromise, as a result, increases exponentially.

The need for agile encryption

To mitigate this risk, PSPs have begun implementing countermeasures. One approach is to increase the length of encryption keys. In the case of Computop, this has involved moving from 2048 digits to 4096 characters, exponentially increasing the computational effort required for decryption. However, key lengthening alone is insufficient; the entire process chain must embrace “cryptoagility” – the ability to rapidly adapt and switch encryption methods, as new threats emerge.

Ironically, payment service providers derive little from the speeds offered by quantum computing. Global payments are already transacted almost instantly, and processing at individual points is a minor aspect. Transmission times, which span from the customer clicking the ‘Buy Now’ button to receiving confirmation that the payment has been made successfully, accounts for most of the time involved and even this is conducted in just a few seconds.

Combatting the threat from quantum computing will require extensive industry-wide collaboration, spanning hardware and software upgrades, as well as modifications to interfaces and peripheral devices like Hardware Security Modules (HSMs).

The role of token technology

Some current security measures that protect online payments are already less susceptible to quantum computers. Tokenisation, a data security measure already employed by major credit card companies, presents a formidable defence against quantum computing threats. In this approach, tokens are secure replacement numbers that do not contain any data themselves. Instead critical payment data including the card number, the expiration date, the CVV code and the graphic of the physical card, is replaced with random character strings, which serve as digital signposts referencing the securely stored data. These tokens are transaction-bound and device-specific, ensuring that even if decrypted, they reveal no valuable information about future transactions.

Another benefit of tokenisation is that it eliminates the need for customers to re-register expired cards, as the data is updated within the tokenisation chain. The display of card graphics on end devices further enhances security, enabling customers to easily identify potential counterfeits. In the unlikely event that a quantum computer was able to ‘crack’ a token, the only data they will find is from the past and would not provide any indication about the next transaction.

Be cryptoagile to stay ahead of security threats

As the race to harness quantum computing accelerates, companies must prioritise the adoption of cryptoagile processes and the rapid adaptation of encryption methods. Regulatory pressures, such as the European Digital Operational Resilience Act (DORA), are compounding the urgency for organisations to stay ahead of emerging security threats.

In the quantum computing era, payment security will hinge on embracing agility, leveraging tokenization, and fostering industry-wide collaboration to develop robust encryption standards capable of withstanding the immense computational power of quantum computers.