The German Banking Industry Committee (GBIC) has published a comprehensive position paper outlining the urgent need to prepare for quantum-safe cryptography.
„As quantum computing advances, traditional cryptographic methods face increasing risks. GBIC emphasizes that migration planning must begin now, even if cryptographically relevant quantum computers are not yet available.” – said André Nash, Head of Banking Technology and Security at Bankenverband – Association of German Banks.
Key recommendations include:
– Building a cryptographic inventory across institutions
– Developing migration scenarios and crypto-agile systems
– Coordinating internationally with partners like SWIFT and EMVCo
– Evaluating and integrating post-quantum algorithms such as ML-DSA, SLH-DSA, and ML-KEM
– Increasing use of AES-256 and hybrid cryptographic solutions
GBIC is taking a proactive stance to ensure the resilience of Germany’s banking infrastructure. The transition to post-quantum cryptography is not just a technical challenge—it’s a strategic imperative.
Background
The IT security of the German banking sector relies heavily on cryptographic procedures.
Within this context, GBIC uses standardised algorithms that have undergone rigorous scientific study. To reflect advancements in cryptanalysis and computer technology, GBIC adjusts its risk assessment at regular intervals. Based on this assessment, measures are designed and implemented to maintain a high level of security for banking applications going forward.
This process led, for example, to specifications for the replacement of Triple DES (Data Encryption Standard) by AES (Advanced Encryption Standard) in card based payment transactions, a move that has already been largely implemented.
As considerable progress has been made in the development of quantum computers in recent years, particular attention is currently being paid to the threat to cryptographic procedures from quantum computers.
Courses of action and recommendations
Now that the first quantum computer-resistant algorithms are standardized, more concrete measures can be taken to prepare for a migration to quantum-safe cryptography. From the perspective of GBIC, these include the following measures (note that this list is not exhaustive):
Build inventory of cryptographic methods used throughout GBIC
For trustworthy use the GBIC has compiled an inventory of the cryptographic procedures used throughout the German banking industry sector, including information on the parameters, the purpose, the need to store the information protected by the methods in the long term and the expected lifetime of the cryptographic primitive used.
All individual institutions, data centres or banking industry service providers are advised to compile a similar overview of the procedures they use – other than the GBIC-recommended methods.
Until the end of 2027, all institutions in the German banking industry should have compiled such an inventory.
Prepare migration scenarios
Since experience has shown that migration of cryptographic procedures can be a long process from planning to full implementation – particularly if hardware has to be replaced – it is necessary to develop migration scenarios at an early stage considering fallback strategies.
Paying particular attention to the recommendations of the BSI (German Federal Office for Information Security), GBIC will continuously develop migration scenarios for all German payment systems. Migration scenarios including prioritisation and fall-back scenarios should be available until the end of 2030 for all institutions in the German banking industry.
Increase use of online checks in card payment transactions
An increased use of online checks in card payment transactions can reduce dependency on the RSA (Rivest-Shamir-Adleman Cryptosystem) procedure, which is currently used, e.g., for card authentication and offline PIN checks. As online authorisation based on AES can be used in card-based payment transactions – with only a few exceptions – it is recommended, from a cryptographic perspective, that this option be used. The use cases for offline authorisation which cannot be easily replaced should by examined carefully including a risk assessment.
Read the full position paper to explore the roadmap and all recommendations: Position Paper of the German Banking Industry Committee on the Impact of the Development of Quantum Computers
Banking 4.0 – „how was the experience for you”
„To be honest I think that Sinaia, your conference, is much better then Davos.”
Many more interesting quotes in the video below:
