We’ve all heard of quantum computing, but understanding how it works, and what impact it might have on everyday processes is quite a different story. At its most basic, quantum computing focuses on technologies that harness the laws of quantum theory to solve challenges considerably more quickly than classic computers.
And speed is the critical factor here, because while the topic of quantum physics or quantum mechanics is fascinating, how it works is irrelevant to any discussion about the future of payments. What matters is how quickly it works and how this might compromise security in the future.
Keeping customer data secure is at the heart of what payment service providers like Computop do. We are governed by the PCI standards for data security that were designed to protect credit card data. It is the security delivered through credit card encryption that allows e-commerce and card-not-present transactions to be rapidly and seamlessly processed with a high level of trust between retailers, customers, banks and PSPs. So, what happens if this encryption is undermined by quantum computing?
The RSA encryption type used on credit cards utilises mathematical algorithms to encrypt customer’s personal data. Even if a brute-force attack was used, it would likely take years for a classical computer to factor the large numbers involved in the algorithm and break the cryptography. Not so for quantum computers which are designed to carry out the most complex calculations quickly and could break through the encryption in days at most.
Right now, there are very limited applications for quantum computing and technology developments are not yet at a stage where they can be made commercially available. But tech forecasters are confident that with the help of investment – money being poured into quantum computing startups more than doubled between 2020 and 2021 – we are likely to see usable systems within the next seven years.
Prepare by becoming crypto-agile
The key to guarding against the threat is to be prepared and to collaborate as an industry – not just the payments and finance sector – but across all areas of IT that rely on encryption technologies. We need to adopt a crypto-agile approach and that means looking at quantum-resistant methods. The National Institute of Standards and Technology (NIST) in the US first requested cryptographers to look into the development of quantum-resistant encryption methods back in 2016 and has now chosen four algorithms with more to come. We need to aim towards developments in technology that allow security keys and encryption to be changed quickly using software that can re-encrypt communications and databases if algorithms are cracked.
But this is not easy. The plethora of data that is now held in databases can make processes cumbersome and decryption on a large scale could be problematic. Reprogramming software for a crypto-agile future will be time-consuming and could take years to complete, which is why we need to start now. In the payment industry we use HSMs which calculate quickly and support many algorithms, so we can expect to see partnerships forming that allow these changes to be speeded up.
Will payments remain secure?
While we need to be wary and keep an eye on future developments, we should take heart from the stringent security measures we already have in place to protect customer data.
Tokenisation is a mechanism to hide all the credit card data and transmit an individual token for each transaction, or to attach automated permission to use these data on the device. This limits access to the customer’s personal details, and ensures transactions are completed in one click.
POS P2PE delivers a unique key for each payment while in Germany the financial regulatory authority BaFin now requires strong encryption, using AES instead of Triple DES. And of course, customers are increasingly using smartphone wallets which exchange tokens, meaning that credit card data need no longer be entered by customers, who are additionally protected by two-factor authentication which controls who triggers the transaction.
Quantum computing applications may be some time away. However, if they start to become commercialised by 2030, that gives us just a short window to develop the appropriate security defences for living and transacting in a post-quantum world. We don’t have time to spare if we want our personal data to remain safe. That’s why we should prepare for a swift change of encryption methods now, and not in ten years’ time.
Ralf Gladis is CEO of the payment service provider, Computop