Modern payment infrastructure relies on public-key cryptography. RSA, ECC, and Diffie-Hellman. To authenticate transactions, protect cardholder data, and secure messaging between financial institutions. These algorithms underpin SWIFT, SEPA, real-time gross settlement systems, and virtually every card scheme in operation today.
Quantum computers running Shor's algorithm will be capable of breaking these cryptographic primitives. While fault-tolerant quantum machines do not yet exist at the required scale, the trajectory of hardware development. Demonstrated by IBM, Google, and others. Makes this an engineering timeline question rather than a theoretical one. The National Institute of Standards and Technology (NIST) has already finalised its first set of post-quantum cryptographic standards (FIPS 203, 204, and 205) in response.
The Harvest-Now Decrypt-Later Risk
The threat is not confined to a future date when quantum computers reach sufficient capability. State-level actors and sophisticated adversaries are already intercepting and storing encrypted data today, with the intention of decrypting it once quantum resources become available. This harvest-now decrypt-later (HNDL) strategy means that any payment data with long-term sensitivity. Regulatory records, compliance archives, contractual obligations. Is already at risk.
Financial regulators have begun responding. The Monetary Authority of Singapore (MAS) has issued guidance on quantum readiness. The Australian Prudential Regulation Authority (APRA) has flagged cryptographic risk in its technology resilience framework. The European Union's Digital Operational Resilience Act (DORA) mandates ICT risk management that must account for emerging threats, including quantum computing.
Impact Across Payment Rails
The implications span the full breadth of payment infrastructure:
SWIFT messaging: MT and MX message formats rely on TLS and digital signatures for integrity and authentication. A compromised key infrastructure would undermine the trust model that connects over 11,000 institutions globally.
SEPA and instant payments: The European Payments Council's SEPA Instant Credit Transfer scheme processes irrevocable transactions in under ten seconds. Cryptographic compromise at this speed leaves no window for human intervention or manual verification.
Real-time payment systems: Faster Payments (UK), FedNow (US), and NPP (Australia) all share the same dependency on classical cryptographic primitives for message authentication and participant verification.
Compliance and long-life data: Payment records retained for regulatory purposes. Often mandated for five to ten years or longer. Will outlive the security guarantees of the cryptography that protected them at the time of creation. ISO 20022 migration programmes must consider the cryptographic shelf life of the data they produce.
Blockchain and distributed ledger technology: Digital asset platforms and tokenised payment instruments that depend on elliptic curve cryptography face a direct and well-understood threat from quantum algorithms.
What Organisations Must Do Now
The transition to quantum-safe cryptography is not a single upgrade but a multi-year programme requiring structured preparation:
Cryptographic inventory: Organisations must catalogue every system, protocol, and data store that depends on classical public-key cryptography. This includes TLS certificates, API authentication, HSM configurations, key management systems, and data-at-rest encryption.
Post-quantum algorithm adoption: NIST has standardised ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) for digital signatures. Organisations should begin testing these algorithms in non-production environments and develop migration roadmaps for critical systems.
Cryptographic agility: Systems must be designed. Or refactored. So that cryptographic algorithms can be replaced without requiring full application redesigns. This principle applies to payment gateways, messaging middleware, and client-facing APIs alike.
Hybrid approaches: During the transition period, hybrid cryptographic schemes that combine classical and post-quantum algorithms provide defence-in-depth. This approach preserves backward compatibility while introducing quantum resistance.
EPAA Working Group and Industry Collaboration
The Emerging Payments Association Asia (EPAA) established its Quantum Safe Cryptography Working Group to address these challenges through coordinated industry action. The working group brings together participants from across the payments ecosystem, including IBM, HSBC, KPMG, JPMorgan Chase, and PayPal, among others.
Through workshops held in Sydney, Hong Kong, and Singapore, the working group has developed a shared framework for assessing quantum risk in payment systems and identifying practical migration pathways. The resulting white paper. Quantum-Safe Payments: Why the Payments Industry Must Act Now. Represents a consensus position on the urgency and scope of the challenge.
The working group's analysis concludes that quantum-safe readiness is a current infrastructure decision, not a future one. Organisations that delay risk finding themselves unable to meet regulatory expectations, protect long-life data, or maintain interoperability with partners who have already migrated.
About the Author
Sebastien Rousseau is a Senior Digital Product Manager at HSBC Bank plc, leading corporate payments API products within HSBC's Commercial & Investment Bank. He contributed to the EPAA Quantum Safe Cryptography Working Group and researches the application of Post-Quantum Cryptography to financial services. Read more about Sebastien ❯
Related Articles
- [Quantum Key Distribution: Revolutionising Security in Banking]rel1
- [CRYSTALS-Kyber: The Safeguarding Algorithm in a Quantum Age]rel2
Last reviewed .