Payment industry urged to act now on quantum threats

The payments industry must urgently respond to the looming privacy and security threats posed by quantum computing, a new position paper from the Emerging Payments Association of Asia (EPAA) argues.

According to the paper, ‘Quantum safe payments: Why the payments industry must act now’, the trust in the integrity of networks and confidentiality of data that the payments industry relies on is under pressure due to the shifting risk landscape caused by advances in quantum technology.

Regulators across the region are treating ‘harvest now, decrypt later’ as a credible risk that requires action, with the concern being that threat adversaries may already be stockpiling sensitive encrypted data with the aim of decrypting it once quantum capabilities advance. This could result in customer records, transaction logs and compliance archives being exposed long after the data was first collected, the paper argues.

Industry must be ready to address this structural threat, and responses need to be coordinated both within and across geographies to be effective, it states.

But research conducted during workshops hosted by the association across Sydney, Hong Kong, Singapore and Malaysia over the past four months found that only 20% of payment industry participants consider themselves to be very familiar with the quantum threat to current cryptography, with 32% answering that they are not very familiar and 12% stating that they are not familiar at all.

The position paper gives several real-world examples of the risks of quantum computing to the encryption protocols and models used by services such as digital wallets, open banking and real-time payment systems.

For example, SWIFT messages use authentication protocols that quantum computers could eventually break. Blockchain networks could be exploited if attackers can derive private keys from exposed public keys, meaning wallets could be drained or transaction processes forged. Long-life data stored for compliance or audit purposes may also be exposed in the future.

The paper asserts that the payment industry must urgently consider taking steps including mapping how and where encryption is used, building a cryptographic inventory to identify which cryptographic assets exist and are most vulnerable, transitioning to quantum-safe algorithms, and updating supplier contracts and procurement processes to include quantum-safe expectations.

The EPAA’s research found that only 29% of businesses have a plan in progress for migrating to quantum-safe cryptography, but a further 4% have completed a risk assessment and 21% have plans in place for a transition.

The biggest perceived barriers to moving forward on quantum readiness include unclear standards or industry direction (29%), lack of leadership buy-in (29%), budget or resource constraints (18%), the complexity of legacy systems (12%) and vendor or third party dependencies. Taking action will be a growing imperative, with governments in Australia and elsewhere already signalling that post-quantum compliance will be required, the paper adds. Australia’s cybersecurity agencies have set a clear roadmap to migrate by 2030.

EPAA chief executive Camilla Bullock said the payments industry cannot afford to delay its response.

“Quantum computing has the potential to deliver extraordinary breakthroughs in health care, climate modelling and scientific research, but in the wrong hands it poses serious risks,” she said. “We know scammers are already collecting encrypted data, waiting for quantum computers to break it.

“Responding to quantum threats is complex and requires coordinated industry-wide action to manage technical, regulatory, operational, reputational and compliance risks. The time for banks and payments providers to act is now.”

The EPAA is a membership organisation for payment industry stakeholders including payment schemes, banks, issuers, merchant acquirers, PSPs, technology providers and wallets. Australian members include CBA and ANZ.

Image credit: iStock.com/NatalyaBurova