Quantum computing is set to change the face of IT security, and has the potential to break all current payment security systems. This is not the stuff of science fiction: these computers already exist, and are getting more powerful every day. Worldline R&D head Nicolas Kozakiewicz writes
The main difference between traditional and quantum computers is that they work in a different way.
Traditional computers, the sort you have at home or in a smartphone, for example, all work in binary – a combination of zeroes and ones used in varying sequences to create the functions we expect computers to perform. This methodology has given enormous power to these computers, and we rely on them for most technological tasks performed today.
Quantum computers take this computing power to a new level, because they are not limited to just the two states of zero and one. They process in quantum bits, or Qubits, and can also create a ‘superposition’ of these. As a result, the have the capability to be millions of times more powerful for some kinds of mathematical calculation than even the most sophisticated supercomputers in the world.
The current payment systems security protocols have all been created with traditional computing in mind. So, when we talk about a particular type of payment security taking tens of years to crack, we are not taking into account the power of quantum computing. If a quantum computer was set the task of breaking even the most secure payment system in existence right now, it would take a fraction of that time. This leaves customers and retailers – not to mention governments, banks and so on – exposed to a much greater risk of breach.
This means that as we design the payment security systems of the future, we need to think about how powerful these computers will be, and work towards future-proofing our security needs. For example, one of the current market-leading security types for identity and online transactions is RSA. But with the power of quantum computing levelled at even this type of security, it is unlikely to be able to withstand the code-cracking capabilities in its current form.
Even SHA-2 and SHA-3 will need a larger output to defend against criminals using quantum computing. AES, which works with symmetric key encryption, will need to create larger key sizes to protect against hacks.
However, the National Institute of Standards and Technology (NIST), part of the US Department of Commerce, is working on behalf the international community towards creating more advanced cryptography designed to protect against the possibility of quantum computing breaching existing IT and payment security protocols. The aim is to standardise quantum-resistant security so we are able to create a new and more highly developed systems for both IT and payments security within the next decade.
Back in 2016, when the potential security issues raised by quantum computing were realised, NIST asked for proposals to develop public key encryption, key exchange and signature schemes, which had to be submitted by November 2017. There were 82 submissions from around the world, showing how sophisticated the solution to this problem will need to be. NIST is currently, in 2019, reviewing and analysing a shortlist of 26 submissions, and should have completed the process by 2022. It is expected that draft standards will be ready two years later, so by 2024 or 2025.
At present, quantum computers need special conditions to operate effectively, including the requirement to be kept in an environment at or near absolute-zero temperatures to enable them to work in an optimum way. This is not an easy task, and requires specialist equipment that is not readily available. So, for now, quantum computers are considerably rare. In fact, many are housed in academic institutions, or are being developed by manufacturers as they look to harness their power for the future.
However, it is important not to discount the ways in which these computers can be used, as it would be very easy for a rogue nation to harness a quantum computer for misdeeds, for example. As we currently stand from a payment-security perspective, the world is vulnerable to this type of attack.
It is not only rogue nations we need to think of either. Large crime syndicates would easily be able to afford a quantum computer, and with the right team, could potentially create havoc worldwide in every forum, from banking and payment systems through to high-level security breaches at government security agencies.
For merchants, banks and payment schemes such as Visa and Mastercard, the prospect of dealing with security breaches that they have no ability to guard against because payment systems do not have the technology creates a real problem. Banks and merchants are on the front line when it comes to payment security. The customer’s relationship is with you, and it is taken for granted to a certain extent that any payment made by a customer is secure. No one would have good reason to think the payment, or their personal details, were at risk in transacting with you.
It is vital that as quantum computing progresses, payment industry users ensure that they are working with technology providers that integrate the new standards to protect them and their customers against the very real threat that these powerful computers present.
Quantum computers are no longer science fiction: they are science fact, and until the payment and IT security systems wake up and catch up to their power, the industry remains vulnerable. Now is the time to act to ensure that we create new, improved and impervious payment security systems that will take us into the next phase of computing.