Quantum computing, once the domain of academic speculation, is fast becoming a central concern for the global payments industry. The sector’s leaders now warn that the rise of quantum capabilities will fundamentally challenge the cryptographic foundations underpinning every financial transaction.
The risk is not just theoretical: it is an urgent readiness challenge that is rapidly climbing the agenda of boardrooms, regulators, and technology strategists. Those risks are technical, but they are also reputational, and at some point will become regulatory.
Camilla Bullock, CEO of the Emerging Payments Association Asia, recalls that only two years ago, attempts to raise the issue of post-quantum cryptography (PQC) were met with skepticism. “Many questioned if it was even relevant to the payments sector,” she said. “It’s no longer a theoretical risk, it’s a readiness challenge.”
The problem with payments
Ray Harishankar, IBM Fellow, explains that quantum computing is not about replacing classical computers, but about introducing a radically different paradigm. Quantum machines excel at problems like factorization, the mathematical process at the heart of today’s encryption. Where a supercomputer might take a million years to factor a complex number, a sufficiently powerful quantum computer could do it in days or hours. “Quantum is not a bad thing,” Harishankar said. “Encryption is just one use case. But it will have an impact on everything we do”.
That includes payments.
Each transaction involves not just a single encrypted message, but a web of them: 20 to 30 messages between sender and recipient, each requiring its own encryption key. In cases where fintech companies are layering solutions on top, a transaction could involve up to 100 messages.
This creates hundreds of encryption mechanisms across the payments value chain. Protecting all of them will not be as simple as downloading a software patch; it will require a painstaking, case-by-case approach to inventory and upgrade every cryptographic element.
“Each encryption must be found and replaced,” said Bullock.
David Piesse, an insurance technology expert, notes that the quantum threat extends to every sector that relies on digital security. “This affects insurance companies too,” including their growing reliance on digital payments for collecting premiums and disbursing claims. “Breaking encryption has to be dealt with, otherwise we’re all digitally naked.”
A Swift start?
SWIFT, the bank-owned utility whose messages underpin global payments, is already on the case. An executive told DigFin the group is using a third-party algorithm meant to protect the network’s central authentication from being decrypted post-quantum.
The source would not name the vendor, but there are now numerous companies marketing post-quantum cybersecurity solutions, such as QuSecure, Qrypt and SandboxAQ in the US, PQShield and Post-Quantum in the UK, ISARA in Canada, CryptoNext Security in France, and QNu Labs in India.
The challenge, the SWIFT executive said, is not embedding this sort of algorithm, but getting the network’s 11,000-plus banks to integrate their systems to be compatible. Very few have begun their own transitions.
A change is gonna come
That may be just starting to change. The finance industry took notice when Nvidia, the chipmaker, opened a quantum-computing lab in March. Its CEO, Jensen Huang, has declared quantum computing is nearing an ‘inflection point’, prompting the company to accelerate its efforts to build quantum-enabled computing stacks.
Talk by such a major technology company will help banks’ IT and cybersecurity sentinels make their case for allocating budgets to preparing for quantum. But it’s early days.
EPAA has been holding roundtables around the world for bank IT executives to discuss the issue. Bullock told DigFin that at a recent dialogue, a US bank’s chief information and security officer confessed that getting board approval for quantum-readiness funding is still a challenge. This gave a little comfort to the others in the room, whose institutions hadn’t even begun to pitch internally for help.
But that’s going to be cold comfort if it leads to inaction. The risks of delay are mounting.
IBM would, of course, love to be paid a fat fee to make this happen. Is it real? Well, we know quantum physics is real, because experiment after experiment fit the theory.
Getting a grip
Matt O’Keefe, KPMG’s Asia-Pacific cyber leader, frames the quantum threat as a multifaceted challenge: it is at once a business, technical, governance, and regulatory problem. He points out that the “harvest now, decrypt later” threat is particularly acute for payments. Attackers can steal encrypted data today and simply wait for quantum decryption capabilities to mature. For data with a long shelf life, such as sensitive transactional records or intellectual property, the risk is especially severe.
Banks have organized cybersecurity around well-known threat vectors, such as ransomware and phishing expeditions, as well as inside jobs. But they haven’t had to deal with the act of encryption itself. Now they do.
The complexity of the payments ecosystem means that no single entity can secure the system alone. Systemic security requires universal participation, coordinated upgrades, and shared standards. Yet many institutions remain in the early stages of assessment, and the lead time required to inventory and upgrade all relevant systems is difficult to estimate. SWIFT intends to announce its efforts later this year, which may help galvanize an industry-level response.
O’Keefe said the priority for tech teams is to build awareness and begin scenario planning. Organizations must understand what data is most valuable, how long it needs to remain secure, and what the consequences would be if trust in encryption is suddenly lost.
This is not like the Y2K project of the 1990s, when tech vendors convinced governments, banks, and enterprises that their software had to be replaced because the calendars of older systems only had two numerals for a year, and would think the millennium meant it was 1900. That created a program that was ridiculed at the time for hysteria and an excuse by consultants and vendors to extract big fees. In the end, January 1, 2000 was a non-event, although this is probably because the scare campaign worked, not because the threat was imaginary.
Shh, it’s a secret
Y2K came with a specific deadline and a reasonable proposition. Quantum computing is amorphous. The weirdness of quantum mechanics, which is so non-intuitive, makes the discussion difficult. And because many government programs treat their quantum research as a military secret, there’s even less information for banks to assess.
O’Keefe likens this to the Enigma codebreakers of World War II. The Germans built the Enigma machine for their U-Boats to make secret transmissions. Once the British cracked the encryption (using prototypes of computers developed by Alan Turing, among others), they didn’t announce their achievement. They stayed quiet and listened, even letting U-Boats torpedo supply convoys, until the time was right to disrupt German actions.
“If quantum can break encryption, and gets into a rival’s hands, we won’t be told,” O’Keefe said.
In the end, the problem of dealing with quantum is like quantum mechanics itself, compared to classical physics. In the classical world, a bit is a one or a zero, so it’s easy to identify. In the quantum world, identities and actions are probabilistic, not deterministic: a qubit is zero to one and the fractions between, simultaneously. This probabilistic nature enables massive computational power, along with plenty of confusion.
The PQC threat is similar: we don’t know when the moment of truth will arrive, or how it will be realized, but there’s a strong likelihood that it will come, and maybe even within the span of our own careers.
