Emerging Payments Association Asia announces new work group to encourage the adoption of quantum-safe cryptography in the banking industry

New work group will support a roadmap for quantum-safe cryptography adoption across the payments and banking landscape. The Work Group plans to publish its first set of findings in time for Sibos in October 2024.

The Emerging Payments Association Asia (EPAA) announced the formation of a Work Group on Quantum-Safe Cryptography (WG-QSC) across ASEAN, with IBM, HSBC, AP+ and PayPal as founding members. The group aims to study policy, regulation, and operator business processes to recommend steps toward implementing quantum-safe cryptography to enhance the protection of payment rails and processes in anticipation of advanced quantum computing that will be able to compromise existing cryptography.

Quantum computers are becoming more powerful, and as technology progresses, they could one day be used to break today’s encryption standards, such as RSA. This means data considered secure today could soon become vulnerable should access to a cryptographically relevant quantum computer – a quantum computer powerful enough to break today’s encryption – fall into the wrong hands.

To prepare, it is critical for organisations to begin exploring the transition to post-quantum cryptography. The work group intends to help define requirements, identify dependencies, use cases, and create a roadmap to implement post-quantum networking to mitigate the anticipated risks associated with future, cryptographically relevant quantum computers. Without post-quantum solutions, sensitive assets such as confidential business information, payments files, and other business-critical data could be at risk from attackers.

In a 2022 report, the World Economic Forum recently estimated that more than 20 billion digital devices will need to be either upgraded or replaced in the next 10-20 years to use the new forms of post-quantum encrypted communication.

“The goal of this work group is to bring together leading global financial services providers, as founding members, with experts from IBM, HSBC, AP+ and PayPal to collaborate as, or with, the business, operators, and ecosystem partners. Together, we aim to understand and implement post-quantum protocols, defining approaches to protect critical payments infrastructure, processes, customer data, and payment flows through agreed upon policies, enhancing resilience in future networks,” said Camilla Bullock, EPAA CEO.

To address the challenges presented by emerging quantum technology, the U.S. National Institute of Standards and Technology (NIST) announced in July 2022 that it had chosen the first four post-quantum cryptography algorithms to be standardised for cybersecurity in the quantum computing era — with plans to formally publish the standards this year. These chosen algorithms rely on the computational difficulty of lattice- and hash-based mathematical problems.

Additionally, there are worldwide initiatives related to the construction of quantum key distribution networks whose security relies on the fundamental laws of quantum physics. Post-quantum cryptography and QKD technologies aim to protect today’s systems and data from future cryptographically relevant quantum computers.

“Given the accelerated advancements of quantum computing, data and systems secured with today’s encryption could become insecure in a matter of years. We are pleased to work with the EPAA to help advance the industry’s move to adopt quantum-safe technology,” said Ray Harishankar, IBM Fellow – IBM Quantum Safe.

In February of 2024, the Monetary Authority of Singapore (MAS) issued an Advisory on Addressing the Cybersecurity Risks Associated with Quantum, which highlights some of the measures that financial institutions should consider as part of quantum transition efforts:
. Keeping abreast of the latest developments in quantum computing and raising awareness of the associated cybersecurity risks
. Maintaining an inventory of cryptographic assets and identifying critical assets to be prioritised for migration to quantum-resistant encryption and key distribution and
. Developing strategies and building capabilities to address cybersecurity risks associated with quantum.

As stated in the Bank of International Settlements (BIS) Project Leap report, “the challenge that central banks and all other organisations will face is the need to compile an inventory of the cryptographies currently in use across IT systems and to identify where the threatened cryptographic schemes are implemented.”

“Quantum computing is by far the biggest revolution in computing since the 1950s, and most of it will have a positive impact on our industry and society. It can potentially solve highly complex optimisation challenges such as liquidity management. At the same time, it could inherently undermine the cryptographic principles relied on today. This is why we have seen more quantum-resistant symmetric-key encryption algorithms like Advanced Encryption Standard (AES), selected by the US National Institute of Standards and Technology (NIST) and the AES migration for payments underway in many jurisdictions. We have also seen other industry consortia working to protect and secure customer data with the timely adoption of quantum-resilient solutions, policies and standards”, said May Lam, CIO of Australian Payments Plus.

The EPAA Work Group on Quantum-Safe Cryptography will drive awareness of these challenges and the adoption of post-quantum cryptography within payments, mainly across three areas:
. Strategy – to integrate post-quantum capabilities into banking and payment technologies, business processes and security.
. Standardisation – to identify the needs and common alignments for the integration of post-quantum capabilities into existing payments networks through participation in Standards bodies.
. Policy – to drive communications about payments network public policy, regulation and compliance and to ensure scale across the industry.

“This technology also brings true business/revenue opportunities in Payments, Treasury and Cash Management in a real-time world. We are extremely proud of the cross-geo and cross-functional professionals we’ve been able to bring together for this extremely important topic. Through this work group, we are looking forward to collaboratively drive a critical transformation in the payments industry.”, said Mary Ann Francis, Advisory Board Member and Co-chair of the WG-QSC.