person Tute World Team

PQC in Payments & Banking

Financial systems are the most critical and most complex infrastructure to migrate. Payment networks handle trillions of dollars daily, involve hardware from payment terminals to core banking systems, and have extremely long replacement cycles. Here's why financial infrastructure is at the top of the quantum threat list — and what's being done about it.

Why Financial Infrastructure is Uniquely at Risk

Financial systems face a combination of factors that make them the highest-priority quantum migration target:

  • Long-lived secrets: Financial records, account information, and transaction histories must remain confidential for decades. Harvest-now-decrypt-later attacks directly threaten this data.
  • Hardware constraints: Payment terminals, ATMs, and HSMs (Hardware Security Modules) have 10–15 year replacement cycles. New hardware needs to support PQC. Old hardware may need firmware updates or replacement.
  • Deeply embedded cryptography: RSA and ECC are embedded in PKI for banking apps, TLS for online banking, EMV chip protocols, SWIFT messaging, payment gateway APIs, and interbank communication.
  • Regulatory pressure: Financial regulators globally are beginning to mandate PQC migration timelines. Non-compliance carries heavy penalties.

Where Cryptography Appears in Payment Systems

EMV Chip Cards

EMV (Europay, Mastercard, Visa) chip-and-PIN cards use RSA and ECC for card authentication and PIN encryption. Over 10 billion EMV cards are in circulation globally. Migration requires new card standards, updated terminals, and issuer system changes.

High urgency — long replacement cycles

SWIFT Messaging

SWIFT (the interbank messaging network used by 11,000+ financial institutions) uses PKI for message authentication. SWIFT has published post-quantum roadmaps and is working on PQC migration with member banks.

Medium urgency — centrally managed

Online Banking TLS

Every HTTPS connection to your bank uses ECDH for key exchange. This is the easiest migration target — server-side TLS can be upgraded independently of clients (using hybrid key exchange).

Actionable now — deploy hybrid TLS

HSMs (Hardware Security Modules)

Banks use HSMs to protect private keys for everything from TLS to code signing to key management. HSMs must support post-quantum algorithms — older models may need firmware updates or hardware replacement.

High urgency — long procurement cycles

Mobile Banking Apps

Mobile apps use certificate pinning, TLS, and biometric authentication — all involving RSA or ECC. App updates can carry PQC support, but certificate infrastructure must be upgraded in parallel.

Medium urgency — manageable via app updates

CBDC Infrastructure

Central Bank Digital Currencies being designed right now can (and should) incorporate PQC from the start. Several central banks explicitly require PQC in their CBDC technical specifications.

Design it in now

Regulatory Timeline for Financial Institutions

2022 US NSM-10 mandates federal agencies inventory cryptographic use. Financial regulators begin awareness campaigns.
2024 NIST publishes FIPS 203/204/205. CISA, FS-ISAC release financial sector PQC guidance. EMVCo begins post-quantum payment standards working group.
2025–2027 Expected period for regulatory guidance to become mandatory requirements. Banks begin procurement of PQC-capable HSMs. SWIFT begins PQC migration pilots.
2030 NIST recommends this as the transition point away from classical algorithms for US government systems. Financial regulators expected to align.
2035 US government mandated deadline for all federal systems to use PQC. Financial sector expected to be fully migrated for new deployments.

SWIFT and Interbank Messaging

SWIFT handles over $5 trillion in daily transactions. Its security relies on PKI-based message authentication using RSA and ECC. A quantum-capable adversary who could break SWIFT's cryptography could forge payment instructions, redirect funds, or eavesdrop on interbank communications.

SWIFT's approach: SWIFT published a post-quantum cryptography threat assessment in 2022 and has committed to maintaining cryptographic agility in its Customer Security Programme (CSP). Their migration roadmap targets hybrid classical/PQC schemes as a first step, with full migration following NIST standardization completion.

Frequently Asked Questions

Should I worry about my bank account today?

For everyday consumers, there's no immediate threat to your funds. The quantum threat to financial systems is real but not yet exploitable — large-scale quantum computers don't exist yet. Banks are actively working on migration. However, if you have financial data that needs to stay secret for 10–20 years (e.g., very sensitive transaction histories), the harvest-now-decrypt-later threat is relevant. Consumer-facing impact will be most visible as banks upgrade their apps and online banking TLS over the next few years.

Will my credit card need to be replaced because of quantum computers?

Eventually, yes — but on a normal card replacement cycle, not an emergency recall. EMV standards are being updated to include post-quantum cryptography. When your bank issues you a new card in 3–5 years, it may carry a PQC-capable chip. This will be transparent to consumers. The transition happens through normal hardware refresh cycles, not panic card replacements.

← Post-Quantum TLS Next: Open Source PQC Libraries →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.