Having spent over two decades in digital payments and cybersecurity, I’ve witnessed how the industry evolves with technology, often at a painstakingly slow pace. Even a simple key management improvement could take years for a large bank to implement. This reluctance to move fast on security has been a long-standing challenge.

With recent breakthroughs in topological qubits, quantum computing is no longer a distant theory. Accelerated efforts toward large-scale quantum computers include Google’s Google’s 105-Qubit Willow Chip, IBM’s 433-qubit processor, Nokia Bell Labs’ topological qubit, and Microsoft’s Majorana 1 chip. This is a wake-up call for the digital payments industry—quantum threats are not 10–20 years away.

Why This Matters Now

When quantum computing reaches sufficient scale, it will break current encryption standards, including RSA and ECC—the foundation of digital payments security. The stakes are staggering: while modern computers would take 300 trillion years to crack an RSA 2048-bit key, a quantum computer could achieve it in just 10 seconds. Shor’s algorithm will render RSA and ECC encryption obsolete, jeopardizing key exchange and digital signatures and making compliance with regulations like GDPR, PCI DSS, and HIPAA impossible under current cryptographic standards.

Yet, the industry’s response has been largely complacent, assuming there is still time. However, history has shown that security adaptation always lags behind technological innovation. Predictions indicate that fully error-corrected quantum computers could be available as early as 2030. By 2033, 25% of experts estimate a 50% likelihood that quantum computing will compromise cybersecurity. Even if these dates seem distant, the threat is already here—malicious actors are actively harvesting encrypted data today, storing it for future decryption. This “harvest now, decrypt later” strategy means sensitive data is already at risk from tomorrow’s quantum breakthroughs.

NIST has set firm deadlines—2030 for the initial adoption of post-quantum cryptography (PQC) and 2035 for the full phase-out of legacy algorithms. Organizations can no longer afford to delay their PQC transition. To strengthen cryptographic infrastructure for the quantum era, NIST has finalized three PQC standards:

• One standard for general encryption, securing a wide range of electronic information.
• Two standards for securing digital signatures.

The finalization of these standards provides the clarity and direction organizations need to begin their transformation toward crypto-agility. The time to act is now.

We cannot afford to wait. It’s better to be crypto-agile and ready now, rather than scrambling when the threat becomes real.

What Needs to Be Done?

1. Move Toward Quantum-Resistant Cryptography – The transition to post-quantum cryptography (PQC) must start now. NIST’s quantum-safe encryption standards are available, but widespread adoption is still slow.
2. Embed Crypto Agility into Payment Systems – Banks, fintechs, and payment processors must build security frameworks that can easily switch cryptographic algorithms when needed. This is not just about upgrading encryption—it’s about being adaptable.
3. Regulatory and Industry Alignment – The industry needs clear compliance mandates for quantum security readiness, pushing stakeholders to act proactively.
4. Investment in R&D and Collaboration – Digital payments companies must partner with cybersecurity experts, research institutions, and quantum computing firms to stay ahead of evolving threats.

Final Thought: A Multi-Trillion Dollar Industry Must Be Ready

With global digital payment volumes exceeding $10 trillion annually, the stakes are higher than ever. If we don’t prepare today, the cost of retrofitting security in a post-quantum world will be 10 times higher than what it takes to act now. This is not just a technology challenge—it’s a business imperative.

The technology is advancing—faster than expected. Are we ready?