Card industry braces for security threats from quantum computing

Quantum computing — the use of machines that perform exponentially more calculations and process far more data than standard hardware — is growing at a rate that could make it a threat to payment security systems.

And an increasing number of firms are investing in quantum computing, reports IDC, adding the companies that are investing more than 17% of their IT budgets on quantum computing will nearly triple in the next two years. Among those investing in quantum, 20% are already using it and 66% will begin using it in the next two years. The use cases most cited are accelerated business development and artificially intelligence enhancement.

But the same raw computing power can be turned against the security used in contactless payments, if banks and card networks aren't prepared.

"If quantum computing delivers on its promise, it would render obsolete many of today’s popular cryptographic algorithms, which rely on being very difficult to solve with computing power available today," said Zil Bareisis, head of Celent's retail banking practice. "Many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat."

Contactless payments are already much better protected than the magstripe cards the U.S. has relied on until recent years. Like EMV-chip cards or mobile wallets, contactless cards encrypt data to protect it against skimming and other means of theft. But encryption only works if it's stronger than the computers used to crack it.

Adobe Stock

Fime, a Paris-based firm that tests bank and payment technology, is now vetting checkout technology against contactless specifications that Mastercard published earlier this year to accommodate the growth of contactless and the threat of quantum computing. Called Enhanced Contactless (Ecos), the specifications are an attempt to standardize security for devices that accept contactless payments.

"Contactless is the key to a frictionless checkout journey … and it's important that the users trust the contactless technology," said Reza Rahmani Fard, head of product management for Fime, which will determine functional compliance with Ecos via testing.

Ecos builds on other Mastercard efforts to standardize digital payments security, such as universal "buy button" supported by Visa and other card brands. Visa has reportedly researched new cryptography requirements connected to quantum computing. Mastercard and Visa did not return requests for comment.

In an earlier interview, Chris Reid, executive vice president of identity solutions at Mastercard, said the updated Ecos is designed to ensure contactless technology is "future proof" against emerging threats, including those deriving from quantum computers.

Quantum computing isn't purely a threat. It could also aid banking activities such as investment decisions. Wells Fargo, for example, has partnered with IBM and MIT to test quantum computing and artificial intelligence to spot potential use cases for banking. Goldman Sachs is trying to speed the development of quantum computing, and Barclays and JPMorgan Chase have joined a quantum computing network to support trading, pricing and risk.

As quantum computing expands and becomes more ubiquitous, users outside of mainstream financial services could turn it against the encryption used to protect contactless and mobile payments.

"Current encryption technology is safe since it would take years with current computing technology to successfully decrypt the payment credentials in a contactless payment," said David Mattei, a senior analyst at Aite Group. But with recent advancements in quantum computing and its realization on the horizon, current encryption technology can be easily decrypted by a quantum computer in seconds or minutes, Mattei said.

"The payments industry is grappling with coming up with new encryption technology that a quantum computer cannot decrypt," he said.

One heightened security threat could be "man in the middle" attacks, where a third party intrudes on a digital communication to steal data, Fard said. The specifications and tests are designed to gauge payment systems' ability to interrupt outsiders who are trying to pull off such an attack.

"These [Ecos] specifications bring in a layer of protection that wasn't there before," said Fard. While quantum computing may not become mainstream technology in the next two years, the payments industry is working toward new encryption methods, a process that may also take years given the global need, according to Mattei.

"Just think about the number of point-of-sale terminals in the world, into the millions, all of those stores, processors, card brands, banks and credit unions," Mattei said.

Terminal builders, ATM firms and others will need to update anad test to ensure the quantum-protected encryption works. "Look at how long it took the U.S. to deploy EMV," Mattei said. "It will take at least that long for the world to implement a new encryption technology."

The interest in quantum computing comes as contactless payments quickly become mainstream. In the year following the pandemic's onset in March 2020, Mastercard's contactless transactions grew by 1 billion, with the number tripling in both the U.S. and Brazil. More than 100 nations reported contactless payments grew by at least 50%, according to Mastercard. The card brand also reported nearly two-thirds of consumers said they tried a new payment method. Visa has reported similar fast growth for contactless and other digital payments, and has suggested the trend will continue even as more traditional payment methods recover.

The growth was accompanied by raising contactless transaction limits in numerous countries, contributing to more growth and higher-value purchases.

Payment companies have responded to that growth with a variety of security measures, such as deploying biometric cards, to combat an increased fraud threat that results from crooks' attraction to the higher transaction numbers and volume.

Writing for American Banker Rafael Lourenco, an executive vice president and ClearSale, said the concurrent trends of contactless payments and contactless payment fraud will create challenges for merchants and payment processors to balance security and customer experience.

Testing and standardizing new point- of-sale technology can help manage that balance, Fard argues. "The objective of any cryptographic solution is to protect the 'ID' of the transaction, but also make sure the processing time remains low," he said.