Quantum computing may still be years away from breaking cryptography, but powerful quantum computers are rapidly advancing, and their impact on cybersecurity is already unfolding. Unlike previous technological shifts, it has the potential to render some of today’s most trusted cryptographic protections obsolete—forcing organizations to rethink how they secure data long before the threat materializes.
This moment, commonly referred to as Quantum Day, represents the point at which a quantum computer can effectively compromise today’s unbreakable algorithms. In a PaymentsJournal Podcast, Antoine Kelman, NORAM Payment Services Chief Technology Officer at IDEMIA Secure Transactions, and Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, discussed how organizations should prepare for this eventuality.
Getting an Early Start
A few years ago, Quantum Day was estimated to occur sometime between 2030 and 2040. However, rapid progress—particularly in countries like Korea—suggests that this timeline may be compressing. Many regulators are now urging organizations to be fully prepared by 2030, which is only a few years away.
Preparations are already underway. Regulators across multiple jurisdictions are requiring critical industries to assess their exposure and begin updating cryptographic protocols. National cybersecurity agencies are actively defining policies and advancing new standards.
A key concern is the emergence of “harvest now, decrypt later” attacks. In this model, attackers collect encrypted data today—even if they cannot yet decrypt it—with the intention of unlocking it in the future once quantum capabilities become available.
Online vs. Offline
The payments ecosystem includes cards and terminals with long operational lifetimes. Without sufficient preparation, these devices could become vulnerable. To address this, it’s important to understand how current transactions and cryptographic methods function.
There are two primary transaction types: online and offline. Offline transactions occur when the payment terminal can’t communicate with the issuing bank—whether due to connectivity issues, system outages, or practical constraints. Certain use cases, like mass transit, rely on offline processing because speed is critical.
Both transaction types must be addressed in the context of Quantum Day. On the online side, quantum computers are not expected to significantly weaken symmetric cryptography. As a result, maintaining strong, up-to-date algorithms is generally sufficient for quantum resilience.
Some networks mandate offline functionality for resilience purposes—for example, during large-scale cyber incidents that disrupt communications.
“We know that we’ll have to rely on offline transactions and therefore we have to address the Quantum Day risk,” Goldberg said. “We constantly have these types of conversations every time there’s a pretty significant change or shift that is needed, but eventually everyone will get on board.”
Identifying Additional Vulnerabilities
Another challenge is the long lifecycle of payment cards. Due to extended deployment and replacement cycles, it can take more than a decade to fully refresh cards in the field. As a result, some devices in circulation may still be active when Quantum Day arrives.
“With chip cards, we knew the risks for decades, and look how long it took us to make that migration,” Goldberg said. “If financial institutions, card issuers, acquirers, and merchants think that we’re going to be able to address Quantum Day concerns and we don’t get started now, they’re fooling themselves.”
The broader challenges lies in the complexity of the payments ecosystem. Cryptographic keys are stored, distributed, and managed across multiple layers and components, creating a wide attack surface.
“The first, most critical area to address in the payment business was the card itself,” said Kelman. “It continues to be our priority, because it embeds those secure elements that contain all the vital cryptographic assets that could be vulnerable to attacks.”
Seeking Agility
Any security measures implemented today will not be permanent. Crypto agility, the ability to rapidly and securely transition between cryptographic algorithms, will be key. Post-quantum cryptographic standards are still evolving, and flexibility will be important.
Achieving this will require a cultural shift. The U.S. payments ecosystem has traditionally operated in silos, where agility has not been a core design principle.
“It’s a very diverse ecosystem,” said Goldberg. “You have a lot of different players. You have a lot of different types of systems that have to connect to one another in agility. It just isn’t something that we thought about. But it’s going to be a necessity.”
The long-term goal is to avoid large-scale card reissuance where cryptographic updates are needed. This was a major challenge during the transition from magnetic stripe cards to EMV chips. Instead, issuers, acquirers, and networks should focus on building systems that can evolve without requiring physical replacement.
Consumers are already accustomed to frequent updates on their mobile devices. A similar expectation may emerge for payment cards, where security updates can be applied without requiring physical replacement.
Questions for Financial Institutions
Financial institutions have to begin addressing several key questions. They need to understand whether they have fully assessed their cryptographic bill of materials, where and how encryption is performed across their systems, and what tools and algorithms are in use so that risk can be properly evaluated.
For many organizations, these are new and complex challenges. In fact, some institutions lack a clear understanding of their current cryptographic risk exposure. Organizations should approach cryptographic risk assessment in the same way they evaluate broader cybersecurity risks—by identifying vulnerabilities, quantifying impact, and incorporating findings into a long-term strategy.
“We can’t prepare for risks that we haven’t identified yet, and that’s the way we have to approach this,” Goldberg said. “Things are going to come up that we haven’t even contemplated. We have to have models in place that are agile and can change.”
A way forward is to engage technology partners already building solutions that help financial institutions accelerate their transition to post-quantum cryptography readiness. IDEMIA Secure Transactions is one such partner and is already supporting this transition through consultation, and by providing the following:
- Chips that support post quantum cryptography
- Hardware Security Module (HSM) for secure keys and data management, that can support evolving cryptographic standards including post‑quantum algorithms, while preserving long-term upgrade flexibility.
- Robust and certified cryptographic libraries supporting classical and post-quantum algorithms, enabling banks and fintechs to build crypto-agile applications and payment systems
- Crypto-Agility Services, helping card issuers future-proof payment products through remote cryptographic updates, enabling rapid response to vulnerabilities, regulatory changes, and legacy cryptography deprecation.
Final Takeaways
At the end of the day, financial institutions should recognize that customers will be affected. Fraud risks may increase during the transition period, potentially snowballing into an overall poor user experience and broader ecosystem instability.
“We need to start preparing to address this issue in particular by issuing cards that would run quantum ready algorithms, keeping in mind that the era in which we are entering into is very fluid,” said Kelman. “Our devices need to be crypto-agile and have these crypto agile solutions. What we’re saying is basically we need to prepare, now if not yesterday. We need to prepare for the worst, but maybe hope for the best.”
