up:: In the Protocols MOC

PQC in Payments (EMV and PCI)

Payments PQC is the work of moving the card-payment ecosystem to post-quantum cryptography across a stack that spans the chip in your wallet, the terminal at the counter, the processors and networks behind them, and the interbank messaging that settles the money. Card payments use cryptography to authenticate a card to a terminal, to protect the PIN, to authorize a transaction with the issuer, and to sign and secure the messages that move value between banks. The chip-and-terminal layer carries an unusually long hardware tail, because cards and point-of-sale terminals are replaced on slow, multi-year cycles, so the cryptography embedded in them is effectively fixed for years at a time.

On top of that hardware sits a governance layer, PCI DSS, whose 4.x versions now require a documented cryptographic inventory and a transition plan that explicitly contemplates the post-quantum move, and a messaging layer, ISO 20022, whose larger post-quantum signatures collide with buffer sizes built for classical ones. The migration is slow at the edge and governed in the middle, which is what makes payments its own kind of PQC problem.

The short version:

  • Card payments authenticate cards and terminals with classical RSA and increasingly ECC public-key cryptography, which Shor’s algorithm breaks, while the online transaction cryptograms use symmetric AES, which survives quantum with a larger key.
  • The long tail is hardware. Payment cards and terminals turn over on multi-year cycles, and EMVCo is still finishing an RSA-to-ECC migration expected to run to around 2030, so the deployed base changes slowly and the cryptography in it is effectively frozen for years.
  • EMVCo publicly places the quantum threat to EMV chip infrastructure at “at least 2040” and is building cryptographic agility for contingency, with the offline (RSA/ECC terminal authentication) path as the vulnerable surface and the online AES cryptograms as the quantum-resistant one.
  • PCI DSS v4.x makes the groundwork mandatory: Requirement 12.3.3, effective 31 March 2025, requires a documented, annually reviewed inventory of cryptographic cipher suites and protocols, active monitoring of PQC timelines, and a documented transition plan.
  • ISO 20022 messaging can carry the larger post-quantum signatures in principle, and BIS Project Leap’s real-system tests found the multi-kilobyte signatures overflowed buffers sized for classical ones, so message and buffer engineering is part of the payments migration.

Picture a national transit system where the fare gates and the paper tickets were all manufactured to accept one specific magnetic stripe pattern, and there are hundreds of millions of tickets in circulation and hundreds of thousands of gates installed. Changing the pattern means reissuing every ticket and re-fitting every gate, and that rollout takes years because you can’t strand a rider at a broken gate or invalidate a ticket someone already holds. Meanwhile the central clearinghouse that reconciles every ride can adopt a new format faster, but it still has to keep accepting the old pattern until the last gate and ticket are replaced. Card payments migrate the same way: fast in the clearing layer, glacial at the card-and-terminal edge, and coordinated so nothing at the counter breaks mid-transition.

What cryptography does the payment ecosystem use?

The payment stack uses cryptography at four layers, and the quantum exposure sits in the public-key parts of each while the symmetric parts largely survive. Understanding which layer does which job is what makes the migration legible, because the layers move on very different clocks.

  1. Card-to-terminal authentication. An EMV chip proves it’s genuine to a terminal using public-key cryptography, historically RSA and increasingly ECC. This is the offline data authentication path, and it’s the classically public-key, quantum-vulnerable surface at the edge.
  2. Transaction authorization cryptograms. When a transaction goes online to the issuer for approval, the card and issuer authenticate the transaction with a cryptogram computed using symmetric cryptography, including AES. EMVCo notes that AES has been in the EMV specifications since 2010 and is quantum-resistant, so this online path is comparatively safe.
  3. PIN and data protection. PIN blocks and sensitive cardholder data are protected with a mix of symmetric and public-key cryptography as they move through terminals, processors, and networks, governed by PCI standards.
  4. Interbank and settlement messaging. The messages that clear and settle payments between institutions, increasingly formatted in ISO 20022 and carried over networks like SWIFT, are signed and protected with classical public-key cryptography, which is the quantum-vulnerable messaging surface.

Source: EMVCo, “Quantum Computing and EMV Chip: What’s the Threat?”, 3 June 2025 (AES online cryptograms quantum-resistant and in EMV specs since 2010; RSA/ECC offline authentication is the vulnerable path), emvco.com.

The four layers run on very different migration clocks, and the sequence follows from that:

LayerCryptographyQuantum exposureMigration speed
Card-to-terminal authenticationRSA / ECC (offline)Vulnerable to ShorSlowest, paced by card and terminal hardware refresh
Transaction cryptogramsSymmetric AES (online)Survives with adequate key sizeComparatively safe, minimal change needed
PIN and stored dataMixed symmetric and public-keyHNDL on stored dataGoverned by PCI DSS, can move now
Interbank / ISO 20022 messagingClassical public-key signaturesVulnerable to Shor; size strains buffersFaster than the edge, gated by systems engineering

The pattern is the familiar one: symmetric AES faces only Grover’s algorithm and stays strong with adequate key length, while the RSA and elliptic-curve public-key pieces are what Shor’s algorithm breaks. In payments the vulnerable public-key surfaces are card-and-terminal authentication at the edge and message signing in the clearing layer.

Why is the card and terminal hardware such a long tail?

Because payment cards and point-of-sale terminals are physical devices replaced on slow, multi-year cycles, so whatever cryptography is embedded in a card or a terminal stays in the field for years, and the deployed base as a whole changes only gradually. A card issued today lives in a wallet until it expires or is reissued, and a terminal installed at a merchant runs for years before it’s swapped, so the ecosystem can’t change its cryptography in a single coordinated step the way a data center can.

The clearest evidence of how slowly this moves is that the payment industry is still finishing its previous cryptographic migration. EMVCo is in the middle of moving EMV chip authentication from RSA to ECC, a transition widely expected to run to around 2030, and the post-quantum migration is arriving before that RSA-to-ECC move is even complete.

Source: EMVCo, “What is the Role of Elliptic Curve Cryptography in an EMV Chip Payment?” (EMV chip specifications extended to support ECC as part of the ongoing RSA-to-ECC migration), emvco.com.

That telescoping is the heart of the problem. Some institutions face a choice between deploying ECC only to begin replacing it within a few years, or skipping ECC and moving from RSA toward post-quantum directly, and either path has to be executed across a card-and-terminal base that turns over slowly. The hardware tail is why the payments migration is measured against reissuance and terminal-refresh cycles rather than a single upgrade date, and it’s why crypto-agility in new cards and terminals is the lever that keeps the next change from being another decade-long program.

What does EMVCo say about the quantum threat?

EMVCo, the body that maintains the EMV chip specifications, takes a deliberately measured public position: it expects the quantum threat to EMV chip infrastructure to hold off until at least 2040, and it’s building cryptographic agility so the ecosystem can respond when the threat firms up. Its reasoning rests on a split between the resistant and the vulnerable parts of EMV.

  1. The online path is quantum-resistant. Online transaction cryptograms use symmetric cryptography including AES, which EMVCo describes as a quantum-resistant cipher that has been in the EMV specifications since 2010. Because EMV uses cryptography for real-time payment authorization and terminal PIN protection, EMVCo argues the immediate impact of a quantum computer is limited.
  2. The offline path is the vulnerable surface. The public-key methods (RSA and ECC) used for offline terminal-side authentication are the potentially quantum-vulnerable piece, and EMVCo has flagged quantum-resistant requirements and mitigation for offline transactions as forthcoming work.
  3. Agility is the contingency plan. EMVCo published its first quantum position paper in 2016 and has institutionalized cryptographic agility for contingency purposes, so that the specifications can adopt NIST’s post-quantum algorithms when needed, including incorporating them into TLS for card-based e-commerce.

Source: EMVCo, “Quantum Computing and EMV Chip: What’s the Threat?”, 3 June 2025, emvco.com.

The honest read is that EMVCo’s 2040 framing applies to the specific, real-time EMV chip transaction, and it doesn’t cover everything a payment organization must worry about. Stored cardholder data, long-lived signing keys, and interbank messaging carry harvest-now-decrypt-later and forge-later exposures on their own clocks, and the compliance groundwork lands well before 2040, which is where PCI DSS comes in.

What does PCI DSS require, and why does it matter for quantum?

PCI DSS, the Payment Card Industry Data Security Standard that governs how cardholder data is handled, now requires the exact groundwork a post-quantum migration starts from, so for any organization in scope the first steps are already mandatory. Requirement 12.3.3 in PCI DSS v4.x became a mandatory requirement on 31 March 2025, and it turns cryptographic inventory and forward planning into a compliance obligation.

The requirement has three parts that map directly onto PQC readiness:

  1. A documented cryptographic inventory. Organizations must maintain an up-to-date inventory of all cryptographic cipher suites and protocols in use, including their purpose and where they’re used, reviewed at least once every 12 months. This is a cryptographic bill of materials in all but name.
  2. Active monitoring of cryptographic viability. Organizations must actively track industry trends on the continued viability of the algorithms they use, which explicitly includes following NIST’s post-quantum standards and the timelines for deprecating quantum-vulnerable algorithms.
  3. A documented transition plan. Organizations must document a plan to respond to anticipated changes in cryptographic vulnerabilities, which is the crypto-agility and migration plan the quantum transition needs.

Source: PCI Security Standards Council, PCI DSS v4.0.1, Requirement 12.3.3 (documented and annually reviewed inventory of cryptographic cipher suites and protocols, active monitoring, and a transition plan; effective 31 March 2025), pcisecuritystandards.org.

The consequence is that the payments industry has a mandatory on-ramp that other sectors have to build from scratch. A merchant, processor, or service provider meeting Requirement 12.3.3 already has the inventory, the monitoring, and the transition plan that a post-quantum migration is built on, so the compliance obligation and the PQC preparation are the same work. The full artifact is covered in Cryptographic Bill of Materials (CBOM); in payments its value is that a regulation already requires it.

How do larger post-quantum signatures affect ISO 20022 and settlement?

They strain the message formats and the systems that carry them, because a post-quantum signature is far larger than the classical one it replaces, and the interbank messaging infrastructure was engineered around classical sizes. ISO 20022, the structured messaging standard that networks like SWIFT are adopting, can technically accommodate larger payloads, and real-world testing has shown that “technically can” and “current systems handle it gracefully” are different things.

The clearest evidence comes from the Bank for International Settlements. In Project Leap phase 2, a collaboration of the BIS Innovation Hub Eurosystem Centre, the Bank of France, the Bank of Italy, Deutsche Bundesbank, Nexi-Colt, and SWIFT, engineers tested post-quantum signatures inside a real payment system and found that the larger signatures exceeded buffer sizes that message-handling logic had been built to expect, which is precisely the kind of downstream breakage that a size increase causes across a settlement pipeline.

Source: BIS Innovation Hub, “Project Leap phase 2: quantum-proofing payment systems,” December 2025 (testing post-quantum signatures in an operational payment system, with findings on performance, interoperability, and cryptographic agility), bis.org.

So the messaging-layer migration is a systems-engineering exercise as much as a cryptographic one. Replacing a signature that’s a few hundred bytes with one that’s several kilobytes ripples through message size limits, buffers, storage, and throughput assumptions built into decades-old clearing and settlement systems, which is why central banks are testing it in realistic environments before committing. The protocol-level mechanics of moving signatures to ML-DSA and the size story that drives all of this are shared with the rest of the transition.

How does a payment organization sequence its migration?

The sequence is set by the different clocks the payment layers run on: govern and inventory first, protect the harvestable and long-lived data next, and migrate the slow hardware edge on its natural refresh cycle. The layers don’t move together, so the plan orders them by exposure and by what can actually be changed when.

  1. Meet Requirement 12.3.3 as the on-ramp. Build the cryptographic inventory, stand up the monitoring, and write the transition plan the standard already requires, which produces the CBOM every later step depends on.
  2. Protect stored data and long-lived keys. Cardholder data and archives with long confidentiality requirements carry a harvest-now-decrypt-later exposure, and long-lived signing keys carry a forge-later one, so these move ahead of the real-time chip transaction that EMVCo places further out.
  3. Migrate messaging and e-commerce cryptography. Move the TLS protecting online card transactions to a hybrid post-quantum key exchange, and plan the ISO 20022 signing migration with the buffer-and-size lessons from tests like Project Leap.
  4. Migrate the card-and-terminal edge on its refresh cycle. The chip and terminal base moves slowly, so its migration is sequenced against reissuance and terminal-refresh cycles, with EMVCo’s agility work making the new hardware ready to accept post-quantum algorithms as the specifications adopt them.

The realistic framing is that the compliance and data-protection layers can and should move now, while the physical card-and-terminal edge is a decade-scale rollout paced by hardware turnover. The leverage is in the inventory that shows where the exposure actually is and in the agility built into the cards and terminals shipping today.

Common misconceptions

  1. “EMV chips use AES, so payments are quantum-safe.” The online transaction cryptograms use symmetric AES and are comparatively safe, and the offline terminal-authentication path uses RSA and ECC, which Shor’s algorithm breaks. The vulnerable public-key surfaces are card-and-terminal authentication and interbank message signing.
  2. “EMVCo says 2040, so there’s nothing to do now.” The 2040 framing applies to the real-time EMV chip transaction specifically. Stored cardholder data, long-lived keys, and messaging carry harvest-now-decrypt-later and forge-later exposures on earlier clocks, and PCI DSS Requirement 12.3.3 has been mandatory since March 2025.
  3. “PCI DSS doesn’t address quantum.” Requirement 12.3.3 requires a documented cryptographic inventory, active monitoring of algorithm viability including PQC timelines, and a documented transition plan, so the standard already mandates the groundwork a quantum migration is built on.
  4. “Post-quantum signatures drop straight into ISO 20022.” ISO 20022 can carry larger payloads in principle, and BIS Project Leap found that multi-kilobyte post-quantum signatures overflowed buffers built for classical sizes in a real system, so the messaging migration is a systems-engineering job, not a format tweak.
  5. “The card in my wallet can be updated to post-quantum cryptography.” Cards and terminals are physical hardware replaced on slow cycles, so the cryptography in the deployed base is effectively fixed until reissuance and terminal refresh. The edge migrates on a hardware clock, which is why designing agility into new cards and terminals matters.

Questions people ask

Is the EMV chip quantum-safe today? Partly. The online transaction cryptograms use symmetric AES, which survives quantum, and the offline terminal-authentication path uses classical RSA and ECC, which Shor’s algorithm breaks. EMVCo places the quantum threat to the EMV chip transaction at “at least 2040” and is building agility for it.

Why is the card-and-terminal base such a slow migration? Cards and terminals are physical devices replaced on multi-year cycles, so the deployed cryptography changes only gradually. The industry is still finishing an RSA-to-ECC migration expected to run to around 2030, and the post-quantum move is arriving before that one is complete.

What does PCI DSS require for cryptography? Requirement 12.3.3, mandatory since 31 March 2025, requires a documented and annually reviewed inventory of all cryptographic cipher suites and protocols in use, active monitoring of their continued viability including post-quantum timelines, and a documented transition plan. That’s the on-ramp a PQC migration starts from.

Why do post-quantum signatures cause trouble in payment messaging? A post-quantum signature is far larger than a classical one, and interbank messaging and settlement systems were engineered around classical sizes. BIS Project Leap found that the larger signatures overflowed buffers built for the old sizes in a real payment system, so the migration ripples through message limits, buffers, and throughput.

What should a payment organization do first? Meet PCI DSS Requirement 12.3.3 by building the cryptographic inventory, the monitoring, and the transition plan, which produces the CBOM every later step depends on. Then protect harvestable stored data and long-lived keys ahead of the slow card-and-terminal edge.

Does the harvest-now-decrypt-later threat apply to payments? Yes, to stored cardholder data and archives with long confidentiality requirements, and to the confidentiality of messaging, even though EMVCo argues the real-time chip transaction is a later concern. That’s why stored-data and key protection move ahead of the chip-and-terminal migration.

How does the migration relate to cyber insurance and liability? A documented cryptographic inventory and transition plan are increasingly what underwriters and auditors expect, so meeting Requirement 12.3.3 doubles as the evidence that supports a defensible risk posture. The insurance angle is covered in Cyber Insurance.


Everything here is the map, given freely. When your team needs its payment cryptography inventoried to satisfy PCI DSS 12.3.3, its harvestable data and long-lived keys protected first, and its card-and-terminal edge sequenced against reissuance cycles and 2035, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.