Quantum Computing – the Risks to Encryption and the Implications for PCI DSS

Quantum computers leverage the principles of quantum mechanics to process information.  They work using a qubit instead of traditional computing bits.  While classical bits, upon which all existing computation is based, can exist in one of two states (0 or 1, also known as binary), qubits can exist in a state of superposition, allowing them to represent multiple states simultaneously.  Additionally, qubits can be entangled, meaning the state of one qubit is dependent on another, regardless of the distance separating them, and without the need for a traditional connection.

These unique capabilities enable quantum computers to process vast amounts of information at an unprecedented speed and perform certain calculations significantly faster than classical computers.  For instance, a powerful quantum computer could potentially break traditional encryption methods that secure many online transactions.

‍

Public-key cryptographic systems, such as Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC), are fundamental to securing communications over the internet.  These systems rely on the mathematical difficulty of problems like factoring large prime numbers or solving discrete logarithmic problems.  However, quantum computers can effectively dismantle these safeguards through new quantum algorithms, such as Shor's algorithm.  This quantum algorithm can factor large integers exponentially faster than the best-known classical algorithms, essentially breaking RSA encryption, as current standards use 2048-bit integer keys. Using traditional computers, compromising these keys would typically take longer than the current age of the Universe, whereas Shor’s algorithm could factor a 2048-bit integer in a matter of minutes—rendering traditional public-key cryptography obsolete.

While symmetric key algorithms (such as Advanced Encryption Standard or ‘AES’) are not immediately threatened, quantum computers can still pose indirect risks.  Grover’s algorithm, for example, enables a quantum computer to search an unstructured database in significantly less time than a classical computer.  In practice, this means a quantum computer could effectively halve the strength of symmetric keys.  For instance, while AES-256 (the current recommended key strength) could offer a level of security that requires a computer to perform 2^256 operations to brute-force, Grover’s algorithm would reduce this to 2^128 operations, making it considerably weaker.

As quantum technologies mature, they get increasingly closer to becoming mainstream.  Currently, only tech giants such as Google, IBM, and D-Wave have quantum computing capability.  However, these firms are all investing heavily in quantum research, therefore rapidly advancing us towards a future in which quantum computers can surpass classical counterparts in specific computational tasks.

Security practices that rely on current encryption standards must be updated in preparation for this seismic shift in the cyber security landscape, as sensitive information such as credit card numbers, addresses, and other personally identifiable information (PII) stored in databases, could be at risk.  This risk is particularly concerning for organisations that process payment transactions, due to their need to comply with PCI DSS requirements.

The PCI DSS is aimed at ensuring payment card data is protected throughout its lifecycle.  As such, compliance with the Standard is essential for organisations that handle credit card transactions.  The PCI DSS is what allows e-commerce, which currently accounts for approximately 70-80% of all card transactions, to be secure and easy to use.  As quantum computing advances, the implications for PCI DSS compliance and payment security in general could be significant.

As current encryption methods become vulnerable to quantum attacks, your organisation will need to transition to quantum-resistant algorithms to maintain the security of the payment card data it processes.  Meanwhile, it will become necessary for the PCI Security Standards Council (PCI SSC) to update its standards to include guidelines and even requirements for post-quantum cryptography to be deployed.

Despite the potential for quantum computing to render current encryption standards obsolete, they also present opportunities to create quantum-resistant encryption. Functions such as Quantum Key Distribution (QKD) leverage the principles of quantum mechanics to ensure secure key exchanges.  QKD allows two parties to generate and share a random secret key, which is theoretically immune to interception.  Any attempt to eavesdrop on the communication alters the quantum states, thereby revealing the presence of the intruder. This enables the two parties to terminate the transmission and reattempt the communication through an alternative method.

New post-quantum cryptographic algorithms have also been designed using mathematical problems that are believed to be resistant to the unique capabilities of quantum computing, such as lattice-based cryptography, hash-based signatures, and more.  Currently, a number of ongoing initiatives are underway that aim to standardise these post-quantum algorithms, such as those undertaken by the National Institute of Standards and Technology (NIST).

In the transition to quantum-resistant systems, your organisation may need to implement hybrid approaches that combine classical and post-quantum cryptography.  This dual-layer strategy can safeguard sensitive information until the new systems are fully deployed and accepted.

Having discussed the implications of quantum computing on the future of encryption, it is worth mentioning that these devices are still in the very early stages of development and are simply not accessible to the vast majority of individuals.  Much has been said about the extent of the threat posed by quantum computers to encryption and internet security in general, and whilst this threat is substantial, the practical risk remains distant.  

Quantum computers are highly advanced technologies that rely on some incredibly complex concepts from theoretical physics and other cutting-edge science.  For example, they only operate when cooled to near absolute zero temperatures (approx. -270 °C), and can only be accessed through specialist interfaces so as not to disrupt the delicate quantum state of the internal processes.

In short, you will never find a quantum computer sitting on a desk in a typical office or home.  They simply are not comparable to the conventional computers that we use on a daily basis, and for the foreseeable future, quantum computers will remain the sole domain of governments and high-end research facilities.  As such, it is very unlikely that hackers or malicious actors will gain access to this technology, meaning the large-scale compromise of encryption systems, such as those that protect global banking infrastructure, is not an immediate concern.

Quantum computing presents a profound challenge to modern encryption standards and current approaches to data encryption and security.  It threatens the foundations of secure communication and data protection.  For organisations that are required to comply with the PCI DSS, the need to anticipate and adapt to these changes is critical, and as the timeline for quantum advancements continues to accelerate, the urgency for developing quantum-resistant cryptographic protocols is growing with many banks and financial institutions across the world funnelling research funds into this field.  

By adopting post-quantum cryptography and exploring quantum key distribution, the risks posed by this revolutionary technology can be mitigated.  Whilst the transition to a post-quantum world may take a long time, proactive measures can ensure that sensitive financial data remains protected against emerging threats.