Summary
The article argues that the post-quantum shift in payments is unlike past crypto upgrades. EMV took decades and SHA-256 was mostly software. PQC touches every layer at once: card silicon and secure elements, terminals, HSM fleets, PKI, network message formats, and central bank settlement rails. This is a systemic change, not a routine patch cycle.
A single tap at a coffee shop sets off a chain of quantum-vulnerable operations across many owners and jurisdictions. The card creates a cryptogram from keys in its secure element. The terminal validates a certificate chain rooted in the network CA. Authorization rides TLS that today relies on RSA or ECC. If approved, funds move through SWIFT, Fedwire, or TARGET2, each with distinct PKI and HSM dependencies. One cross-border payment can invoke dozens of separate crypto controls, each on its own upgrade timeline.
For CISOs and payment leaders, the mandate is coordination and crypto agility. Start a full cryptographic inventory, including card and terminal fleets, HSM models, PKI, protocols, and message schemas. Require upgradeable crypto in new procurements. Pilot PQC and hybrid modes in labs to assess latency, payload size, and hardware impact. Engage networks, issuers, acquirers, processors, and central banks to align formats and governance. Plan for phased, interoperable cutovers that preserve today’s reliability while buying down quantum risk.
Read more
See the original article at: https://postquantum.com/post-quantum/payments-quantum-pqc/