In a new whitepaper, global payments technology giant Mastercard has examined the urgent need for the financial sector to migrate to PQC.
The report, authored by Mastercard R&D together with NTU Singapore and PQStation, outlines the seriousness of ‘Harvest-Now-Decrypt-Later’ attacks, describes the threat landscape and its potential impact on the sector, and thoroughly compares and contrasts post-quantum cryptography and quantum key distribution (QKD), concluding that PQC is the more practical and applicable solution.
It’s another milestone paper, echoing the message that the quantum horizon is fast approaching and that the finance world must prepare, backed up with a thorough evidence-based anlaysis.
“We argue,” say the authors, “That early adopters of quantum migration today will be best positioned to protect their assets and maintain resilience in the face of future threats.”
Some of the key takeaways are:
- Investment in cryptographic inventory is an immediate priority. Institutions must know what protocols are in use, where certificates and keys are stored and which data flows they protect.
- Symmetric cryptography is secure. AES for example protects data against the quantum threat, but the public-key systems used to manage those keys is under threat.
- HNDL against key establishment can be mitigated by adopting hybrid TLS (ECC + ML-KEM).
- It’s important to plan for digital signature migration by considering crypto-agile solutions.
The paper also discusses global mandates, regulations and migration strategies including the Quantum Computing Cybersecurity Preparedness Act and CNSA 2.0 – outlining the well-documented timescales, leading to a 2033 compliance deadline. It’s clear that there’s a compliance driver towards readiness for financial industries, as well as a technological imperative.
It’s clear that the financial sector needs evidence-based triggers towards migration, and this paper is certainly one to take note of. The industry itself has been largely self-regulating in terms of its use of cryptography, and as Mastercard points out, a clearer risk analysis is needed – especially with regards to migrating digital signatures.