Securing the Future: Why Post-Quantum Cryptography Matters to Financial Institutions – International Banker
By Vasco Gomes, Global CTO Cybersecurity Products, and Klaus Schmeh, Chief Editor of Marketing, Eviden
For decades, the financial industry has relied on cryptography as a silent guardian of trust. Whether you’re transferring funds across the world or logging into your online banking app, encryption is at work behind the scenes, shielding sensitive data from cybercriminals and eavesdroppers. But a disruptive force is fast approaching—quantum computing.
Unlike traditional machines, which process data in binary bits (zeros and ones), quantum computers use qubits. These can represent multiple states simultaneously, allowing quantum machines to perform complex calculations at speeds that vastly outpace even the fastest supercomputers. This breakthrough cracks open the door to a serious threat: the ability to break the encryption systems that secure modern banking.
The most widely used cryptographic systems today, such as RSA (Rivest–Shamir–Adleman) and Diffie-Hellman (DH), rely on mathematical problems that are nearly impossible for classical computers to solve within a reasonable time. But quantum computers could, theoretically, solve those same problems in minutes. The moment this capability becomes real has been dubbed “Q-Day”—a milestone that could mark the beginning of an entirely new era of cyber-risk. Another term, “Y2Q”, refers to the year of this event. Like the Y2K bug that loomed at the turn of the millennium, Y2Q underscores the urgency of preparing our digital infrastructure for a quantum-enabled world.
Governments and researchers worldwide are racing to stay ahead of this emerging risk. In the United States, the National Institute of Standards and Technology (NIST) has been leading an international effort to identify and standardize new cryptographic algorithms that can resist quantum attacks. In July 2022, the NIST announced its initial selections for standardization and other post-quantum algorithms. The first NIST post-quantum standards were released in 2024; others will follow.
Security agencies—including the US National Security Agency (NSA) and its counterparts in Europe—have mandated that critical infrastructures adopt post-quantum cryptography (PQC) within the next 10 years. Banks, for example, may need several years to fully update their cryptographic foundations, especially if they aim to do so without interrupting services or breaching regulatory compliance.
To aid this transition, the concept of “crypto agility” has emerged as a best practice. Crypto-agile systems are designed to switch between cryptographic algorithms quickly and efficiently. Rather than being locked into a single encryption method, banks can update systems as new standards evolve—making them far more resilient in the long run.
Quantum computing poses a transformative and potentially devastating threat to the entire financial sector. From retail banking and asset management to payment processing and digital identity verification, the industry depends on cryptographic systems to protect sensitive data and ensure secure transactions. As quantum computers develop the ability to break widely used cryptographic algorithms such as RSA and ECC (elliptic-curve cryptography), the core security mechanisms that underpin financial operations are at risk of becoming obsolete.
This threat is especially acute in the payment ecosystem, where cryptographic protocols secure critical use cases. Online payment gateways rely on RSA and ECC to validate merchant credentials and encrypt transaction details during checkout. Mobile payment platforms use ECC to authenticate users and authorize payments on devices with limited processing power. In brick-and-mortar environments, point-of-sale (POS) terminals use cryptographic keys to verify card authenticity and communicate securely with payment processors. Internal communications between servers, databases and authorization systems are protected by encryption protocols such as TLS (Transport Layer Security), which would be compromised in a post-quantum world.
Even more troubling is the threat to long-term financial data. Sensitive information such as credit-card numbers, personal identifiers and transaction records must often remain secure for years. This gives rise to the “harvest now, decrypt later” threat model, where attackers collect encrypted data today with the intention of decrypting it once quantum capabilities mature. Hardware Security Modules (HSMs), which store and manage cryptographic keys, represent another vital use case. They act as the digital vaults of banks and financial institutions, and if their encryption is broken, the breach could be catastrophic.
Given the interconnected nature of financial services and the critical importance of long-term data confidentiality, the sector cannot afford to delay. Transitioning to quantum-resistant cryptography is essential to safeguard stability and customer trust.
Legal frameworks across the globe are evolving to reflect the growing awareness of quantum threats. In the European Union (EU), the General Data Protection Regulation (GDPR) already mandates that organizations protect personal data using “appropriate technical and organizational measures”, including encryption. Regulators interpret this as a requirement to adopt industry best practices—meaning banks that fail to adopt PQC in time may not be compliant.
The EU Cybersecurity Act and the revised Network and Information Security Directive (NIS2 Directive) further reinforce the importance of strong encryption. NIS2, in particular, calls for enhanced resilience across critical sectors, explicitly highlighting financial services.
Globally, ISO/IEC 27001 (of the International Organization for Standardization/International Electrotechnical Commission), the leading standard for information-security management systems, includes encryption as a core control. Likewise, the PCI DSS (Payment Card Industry Data Security Standard) mandates the secure transmission and storage of cardholder data—both of which are dependent on strong, resilient cryptography.
Bank-specific regulations are also tightening. The SWIFT Customer Security Programme (CSP), a global initiative that sets baseline cybersecurity standards for banks, is beginning to include guidance on PQC readiness. The European Union’s Digital Operational Resilience Act (DORA) adds even more pressure, requiring financial institutions to identify and mitigate all major ICT (information and communications technology) risks. DORA doesn’t mention PQC explicitly, but it requires a risk assessment. The quantum risk needs to be taken into account according to Article 9 (Protection and Prevention) and Article 13 (Learning and Evolving).
Even private consortia such as EMV (EMVCo) (which governs chip and PIN payments) and Nexo Standards (which sets standards for card-transaction management) are now exploring PQC integration. Nexo has initiated dedicated working groups, and draft standards are expected within a few years.
In a joint statement in 2024, the cyber agencies of 18 EU member states formally acknowledged the quantum threat and called for immediate action. The statement recommended that all public and private organizations—financial institutions included—begin the transition to post-quantum cryptography without delay. Among the key recommendations are the migrations of public key infrastructure (PKI) and systems manipulating sensitive information by the end of 2030. All of this put together will make it very hard for financial institutions that have not started their migrations to demonstrate DORA compliance.
More comprehensive guidance on post-quantum migration strategies for the financial industry can be found in the document “A Call to Action” published by the Quantum Safe Financial Forum.
Given the complexity of modern banking systems, migration to PQC must be a carefully managed process. Experts agree that the first and most crucial step is cryptographic inventory. Banks need to understand exactly where and how cryptography is used across their infrastructures.
This goes beyond listing encryption protocols. It includes mapping key management systems, identifying legacy applications with hardcoded algorithms and cataloging third-party software. CycloneDX, a widely accepted standard for software bills of materials, now includes a component called the Cryptography Bill of Materials (CBOM), which helps organizations document and manage cryptographic components.
Once a complete inventory is available, banks can move on to risk assessment. This involves evaluating which systems are most vulnerable to quantum attacks and prioritizing them based on factors such as data sensitivity, expected lifespan and regulatory exposure. Several frameworks have emerged to support this step, including the Mosca XYZ methodology, CARAF (Crypto Agility Risk Assessment Framework) and tools developed by institutions such as Wells Fargo.
From there, banks must build a comprehensive migration roadmap. This plan should include short-, medium- and long-term objectives, as well as interim solutions—such as deploying hybrid systems that combine classical and quantum-resistant algorithms. While some agencies are cautious about hybrid cryptography due to potential complexity, others view it as a practical stepping stone.
The roadmap should also account for vendor dependencies. Many financial systems are supplied or managed by third parties, and collaboration will be necessary to ensure end-to-end security.
Several pioneering initiatives are already demonstrating the feasibility of PQC in the financial world. In 2023, the Banque de France and the Monetary Authority of Singapore (MAS) conducted a successful cross-border transaction using quantum-safe cryptography.
Following this, the LEAP (Leading Edge Applications for Post-quantum) project expanded the scope to test quantum-safe security across broader parts of the financial ecosystem. It showed how multiple cryptographic layers—from messaging protocols to identity management—could be adapted to withstand quantum threats.
These pilots are more than academic exercises. They offer practical insights, validate emerging standards and build the momentum necessary to make PQC deployment a global reality.
In the complex cryptographic landscape of the banking sector, hardware security modules (HSMs) occupy a foundational role. These dedicated devices are engineered to perform cryptographic operations, store secret keys and manage critical security functions with the highest levels of assurance. They serve as the trust anchors for a wide range of operations, from digital signatures and key management to transaction authentication.
Banks typically rely on two main types of HSMs. The first are payment HSMs, which are specifically designed for securing transactions—whether for card-based payments, ATM (automated teller machine) operations or mobile wallets. These devices must adhere to strict compliance standards and handle large volumes of secure transactions every second. The second category includes general-purpose HSMs, which are used across a wider range of security applications. These can be deployed on-premise in data centers or accessed via cloud-based HSM-as-a-Service (HSMaaS) models—offering flexibility and scalability in line with evolving IT (information technology) strategies.
Regardless of the type of deployment model, all HSMs share a common requirement in the quantum era: They must be upgraded to support post-quantum cryptographic algorithms. This migration will be essential to ensure that the very core of banking trust remains secure against future quantum threats.
Eviden, a global leader in digital transformation and cybersecurity, is already taking concrete steps to prepare financial institutions for this next era of security. The company offers a range of PQC-ready products designed to integrate seamlessly into existing banking infrastructure.
The HSMs of Eviden are crypto-agile; they are engineered to support the next generation of cryptographic algorithms | Source: Eviden
This portfolio includes the Trustway family of HSMs. These HSMs are engineered to support the next generation of cryptographic algorithms, including those standardized by the NIST for post-quantum resilience. Complementing them is GreenShield, a solution developed to provide quantum-safe protection for emails and files. Eviden leverages its long-standing expertise and deep understanding of cryptographic technologies and environments—including open-source initiatives such as OQS (Open Quantum Safe), Bouncy Castle and OpenSSL—to help banks navigate the increasing complexity of post-quantum security. By relying on a strong network of strategic partnerships with industry leaders such as CryptoNext Security, ISARA Corporation, PQShield, QRisk and SandboxAQ, Eviden provides access to cutting-edge tools for cryptographic advisory, library integration, discovery, inventory and lifecycle management. This unique combination of technical know-how and trusted collaborations enables Eviden to stay ahead of the curve and guide clients with confidence in an ever-evolving threat landscape. These platforms help organizations identify where cryptography is used, assess vulnerabilities and prioritize migration efforts—creating a solid foundation for an effective and secure transition.
The reality of quantum computing is drawing closer. While the technology itself is still maturing, the threat it poses to cryptographic security is already well understood—and well documented. For banks, the challenge is not just technical but also strategic. Waiting for Q-Day to arrive is not an option. The time to act is now.
Post-quantum cryptography is not merely a theoretical concern—it is a practical necessity. As regulatory frameworks tighten, as industry standards evolve and as global awareness grows, the banking sector must lead by example. The migration to PQC will take time, investment and coordination, but the cost of inaction could be far greater.
The journey begins with a clear understanding of your current cryptographic landscape. By inventorizing assets, assessing associated risks and defining a strategic roadmap, banks can lay the groundwork for a secure, resilient and quantum-ready future. This transformation also means equipping technology teams today with PQC-ready HSMs and the tools they need to transition to post-quantum cryptography seamlessly.
To support organizations beginning this journey, Eviden offers a detailed “Post-Quantum Cryptography Migration Guide”. This resource provides practical insights, step-by-step recommendations and industry-specific guidance for navigating the path to quantum-safe security.
Klaus Schmeh is Chief Editor Marketing at Eviden Digital Identity. He is the most-published cryptology author in the world. He has written 15 books about the subject, as well as hundreds of articles, 25 scientific papers, and 1500 blog posts. Klaus is a popular speaker, known for his entertaining presentation style involving self-drawn cartoons and Lego models.
John Berrigan— European Commission
Abdulelah A. Aldeheem— Saudi Central Bank (SAMA)
Jamal Saleh— UAE Banks Federation
Dr. Marcello Estevão— Institute of International Finance (IIF)
Dr. Wissam H. Fattouh— Union of Arab Banks
Bob Homan— ING
Frank Mwiti— Nairobi Securities Exchange (NSE)
Asad Ahmed— Alvarez & Marsal
Todd Martinez— Fitch Ratings’ Sovereigns Group
Prof. Rohan G. Williamson— Georgetown University
Lee White— International Federation of Accountants (IFAC)
Dr. Armida Salsiah Alisjahbana— United Nations Economic and Social Commission for Asia and the Pacific
Prof. Gisele Marcus— Washington University in St. Louis
Matteo Aquilina— Bank for International Settlements (BIS)
Nikola Tarashev— Bank for International Settlements (BIS)
Elizabeth Sidiropoulos— South African Institute of International Affairs (SAIIA)
Kwame A. Oppong— Bank of Ghana
Manoj Reddy— TATA Consultancy Services
Prof. Massimo Massa— INSEAD
Prof. Karsten Müller— National University of Singapore’s Business School
Mohamed Daoud— Moody’s
Kate Eagle— IDEMIA Secure Transactions
Vasco Gomes— Eviden
Klaus Schmeh— Eviden
Biagio Bossone— Advisor Consultant to International Organisations
Thandeka Nyathi— S&P Global Market Intelligence
Robert Matthee— S&P Global Market Intelligence
Archbold Macheka— S&P Global Market Intelligence
Ronel Oberholzer— S&P Global Market Intelligence
Theo Acheampong— S&P Global Market Intelligence
Gabriele Torchiani— Tirelli & Partners
Copyright © International Banker 2025 | All Rights Reserved
Subscription | About us | Contact us | Advertise | Careers | Editorial Submissions | Copyright | Privacy Policy | Terms & Conditions
Finance Publishing
History of Financial Crises
source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.
