How payment service providers are getting ready for quantum computing

By Ralf Gladis, CEO, Computop

As far as the public is concerned, quantum computers are still complex hardware installations that provide fast computing power for research under extreme conditions, mainly research into the technology itself. They believe that these devices can only be found in a handful of IT companies outside of universities.

The truth is however, that in the slipstream of this large-scale technology, variants have been developed in the last one to two years, especially in Europe, which are much more orientated towards user interests. Smaller quantum computers now work at room temperature, as they no longer require superconductivity close to absolute zero. There are now also devices for use in vehicles that are considerably cheaper than the research computers we still have in mind.

Even if the computing power of these more manageable computers is nowhere near as high – they often only work with two to four qubits – the technology will become more widespread – and not just for constructive use. This also increases the risk of unintentional data decryption, for example in payment transactions.

High standards for secure payment transactions

Payment service providers (PSPs) such as Computop ensure the secure processing of payment transactions over the Internet. They provide online and high street retailers with payment methods and transmit the data to banks, credit card organisations and other participants in payment transactions. To support this, the industry developed its own security standards over twenty years ago, including the PCI standards (Payment Card Industry), which are available in versions for card payments in retail (PCI-P2PE) or transactions in e-commerce (PCI-DSS). PSPs undergo intensive annual certification to ensure security when processing sensitive information such as credit card data. The ISO 27001 standard also monitors companies’ information security.

The asymmetric RSA method, named after the developers Rivest, Shamir and Adleman, is primarily used in payment transactions. This system uses a combination of public and private keys, whereby the private key cannot be calculated from the public key. With conventional, transistor-based technology, it takes years to decrypt a transaction secured in this way, but with the enormous computing power of a quantum computer, this time can be reduced to just a few days. The risk of compromise therefore increases dramatically.

Encryption must become more agile

One of the first measures we have taken is to lengthen the key. Instead of 2048 characters, transactions are now secured with 4096 characters, meaning that the computing power required for decryption increases exponentially. However, simply extending the key is not enough. Work on crypto agility must be carried out across all industries to defend against future threats. This means not only making keys secure, but also adapting the entire process chain to a faster change of the selected method. Especially when switching to symmetric procedures, where the sender and recipient agree on a password and an encryption algorithm, agility will be much more important than before.

This will take several years and, above all, requires intensive cooperation, as is always the case with common standards. The need for change goes beyond programming new software and developing modified interfaces: hardware security modules (HSMs), which are peripheral devices that form part of the encryption architecture, must also be upgraded.

Payment service providers, on the other hand, benefit little from the speed that characterises quantum computers. Global payments are already being authorised and processed within a few seconds, with processing at the individual paypoint or checkout playing a rather minor role. Instead, it is the transmission times that account for the majority of the time between clicking on the “Buy” button and confirmation of successful payment.

It is not just payments processes that are affected by unauthorized decryption. SSL encryption for https websites causes a level of mistrust in internet technologies, and it can also impact on email and direct messaging traffic to the detriment of the user. 

One-way cryptograms for maximum security

Some of the current security measures that protect online payments are already immune to faster computers. This applies in particular to token technology, i.e. the replacement of critical payment data with random character strings. One example of this is tokenisation, which was developed by EMVCo for the major card companies. The tokens not only contain the card number, but also the expiry date, the three- or four-digit CVV code and the graphic of the physical card.

This also has advantages for customers: on the one hand, they no longer have to re-register expired cards, as the data is updated within the tokenisation chain. On the other hand, the card graphic displayed on the end device makes it easier for them to recognise whether it is their card or a counterfeit. The tokens are also linked to transactions. This is verified by an individual cryptogram that is only valid for a single payment transaction. Even if fast quantum computers are able to crack a token, they only obtain data from the past that does not allow any conclusions to be drawn about the next transaction.

More pressure from DORA

The race to take advantage of quantum technology is therefore on. How quickly emerging security gaps can be closed also depends on how quickly applications such as CRM, ERP systems, accounting or online shops can be prepared for crypto agile processes and the rapid change of encryption. Companies should not underestimate the time this requires. New data security regulations, such as the European Digital Operational Resilience Act (DORA), are also helping to keep the topic on the agenda. Because auditors are also involved, this creates additional pressure for the companies concerned.

Knowledge is power

Being aware of the threat that the latest variants of quantum computers present is crucial to getting prepared, and the payments industry is already making changes. However, the threat not only comes from the risk of data being decrypted and stolen, but from it being changed. This could result in other payees being substituted, or alternative amounts being paid, all without any trace of manipulation. This is a situation that needs to be taken seriously, now.


Most Popular