.svg)
The advent of quantum computing has sparked concern at the European Payments Council (EPC) as it releases its latest updates to cryptographic rules for members.
The EPC’s annual update of the Guidelines on Cryptographic Algorithms Usage and Key Management provides crucial insights for payment service providers (PSPs) on security protocols, data integrity and encryption best practices.
The 2024-25 edition reflects the latest advancements in cryptographic technology, including updates on authenticated encryption, homomorphic encryption and, in particular, preparations for the post-quantum era.
“Although no one knows precisely when cryptographically relevant quantum computers will actually arrive, organizations must review their cryptographic strategies to ensure they remain secure in a post-quantum world,” the EPC said.
The guidelines serve as a reference for security officers, risk managers and system engineers working in the payments industry, and aim to help PSPs navigate the evolving security landscape and mitigate risks associated with emerging threats.
Cryptographic algorithms encrypt and decrypt data to secure digital transactions, guaranteeing that there is confidentiality and integrity.
This is also important for key management safeguards to prevent unauthorised access.
PSPs use these techniques to secure payments, protect customer data and prevent fraud.
With the rise of quantum computing, existing cryptographic methods could become vulnerable, making it essential for PSPs to plan for a transition to quantum-resistant algorithms.
In particular, the EPC guidelines, which have been devised by a variety of players, including representatives of the Electronic Money Association, Worldline and Mastercard, give particular attention to the risks associated with what could be an imminent rise in post-quantum cryptography.
For example, the UK’s National Cyber Security Centre (NCSC) has issued guidance on transitioning to post-quantum cryptography (PQC), warning organisations to prepare for future threats.
The EPC also highlights the term "harvest now, decrypt later". This is where attackers collect encrypted data today to decrypt with future quantum computers.
This underscores the urgency of adopting hybrid encryption methods that combine both classical and quantum-resistant techniques.
More for PSPs to worry about
Although large-scale quantum computers that are capable of breaking current encryption do not yet exist, financial institutions (FIs) are being urged to assess their cryptographic strategies and prepare for future risks.
The EPC guidelines highlight the need for cryptographic agility, including the ability to design systems that can transition to new encryption standards as needed.
As it stands, the issue facing payments players, including those in the EPC and further afield, is that quantum computing could significantly increase fraud risks for payments firms by breaking widely used encryption methods.
Although the threat could still be some way off (nobody knows how far), firms need to ready themselves for yet another operational risk.
Failure to do so could mean that payments firms could expose sensitive payment data, such as card details and authentication credentials, to cybercriminals.
Many payment systems use cryptographic authentication mechanisms, such as digital signatures and public-key cryptography, to verify transactions, and if quantum computers break these protections, fraudsters could forge signatures or manipulate transaction records.
Hackers could also already be intercepting and storing encrypted payment data, waiting until quantum computers are powerful enough to decrypt it. This could lead to mass-scale fraud in the future.
This intervention from the EPC signals to payments firms that they must transition to quantum-safe algorithms before the threat becomes real.
