While current cyberthreats like ransomware and malware take center stage, there is a looming cyberthreat on the horizon and that is quantum computing.
Quantum computing harnesses quantum mechanics to perform high level computation. The resulting quantum computers are believed to be able to solve certain computational problems, such as integer factorization, substantially faster than classical computers.
Quantum computing research continues to advance across both government and private sectors, with organizations exploring applications in areas such as optimization, materials science and complex modeling.
But once quantum computers become functional, their ability to perform calculations exponentially faster than classical computers could significantly impact certain cryptographic methods currently used to protect data, particularly several popular asymmetric public-key cryptography (PKC) systems, such as RSA (Rivest-Shamir-Adleman), ECC (elliptic-curve cryptography) and Diffie-Hellman.
Standards organizations and researchers have been actively working to identify the best alternatives and plan the transition to post-quantum cryptography, which will secure against both classical and quantum computers and can work with existing communications protocols and networks. A recommended solution is for entities to adopt the Advanced Encryption Standard (AES), which was introduced by the National Institute of Standards and Technology (NIST) in 2001 and is used widely throughout the U.S government.
However, industries using both asymmetric and symmetric cryptography have been slow to embrace AES – particularly in the payments industry, where the predecessor to AES, the Data Encryption Standard (DES) is still used, albeit in its triplicate form – also called Triple DES (TDES or 3DES).
Bluefin is a leading provider of encryption and tokenization solutions to protect sensitive data upon entry, in transit, and at rest. The company became the first North American provider of a PCI-validated point-to-point encryption (P2PE) solution in 2014 to secure point-of-sale (POS) payments and in 2019, introduced ShieldConex® for securing personally identifiable information (PII), protected health information (PHI) and payment information entered online. While implementing AES is not mandatory, Bluefin upgraded its payment security products to support AES in 2019 – with the company’s Decryptx® P2PE solution supporting AES-128 and 256, and ShieldConex utilizing AES-256 for Format Preserving Encryption (FPE).
Key Takeaways
- Quantum computing presents a long-term encryption consideration—not an immediate threat. Current standards remain secure when properly implemented.
- Asymmetric cryptography faces the greatest future risk. RSA, ECC and Diffie-Hellman could eventually require replacement.
- AES-256 and modern symmetric encryption remain strong. They are widely regarded as resistant to known quantum attack models.
- For payments, the focus is modernization and agility. Migrating to AES and planning for post-quantum standards ensures long-term resilience without disrupting today’s security.
Separating Quantum Hype from Security Reality
Much of the public conversation around encryption and quantum computing focuses on worst-case scenarios, often suggesting that quantum computers will suddenly render today’s encryption obsolete. While quantum computing represents a significant scientific advancement, it is important to distinguish long-term theoretical risk from present-day security realities.
Large-scale, fault-tolerant quantum computers capable of breaking widely deployed cryptographic systems do not yet exist. Researchers continue to make progress, but practical quantum systems that could threaten modern encryption standards are still considered years away. In the meantime, current encryption frameworks, when implemented properly and using strong key lengths remain secure.
The primary concern discussed by researchers relates to certain asymmetric public-key algorithms, such as RSA and elliptic-curve cryptography, which could eventually be vulnerable to quantum techniques like Shor’s algorithm. However, symmetric encryption algorithms, particularly AES-256, are widely regarded as resistant to known quantum attack models when deployed correctly.
Security standards organizations, including NIST and the PCI Security Standards Council, are not reacting with urgency or alarm. Instead, they are guiding a measured, methodical transition toward long-term cryptographic resilience. This includes the standardization of post-quantum cryptographic algorithms for future asymmetric key exchange, while continuing to support strong symmetric encryption such as AES.
For the payments industry, this means the focus should remain on implementing proven encryption standards today, maintaining cryptographic agility, and preparing thoughtfully for future evolution rather than reacting to speculative headlines.
Asymmetric vs. Symmetric Cryptography
Asymmetric cryptography, also known as public-key cryptography (PKC), uses one public key and one private key to encrypt and decrypt a message. A public key is a cryptographic key that can be used by any person to encrypt a message so that it can only be deciphered by the intended recipient with their private key. A private key, which can also be known as a secret key, is shared only with the initiator of the key.
Many widely adopted protocols rely on asymmetric cryptography, including the transport layer security (TLS) and secure sockets layer (SSL) protocols. Types of asymmetric cryptography algorithms include RSA, which is often used in web browsers to connect to websites, in virtual private network (VPN) connections and in many other applications; Diffie-Hellman, which was one of the first public-key protocols implemented within the field of cryptography; and ECC, which is an approach to PKC based on the algebraic structure of elliptic curves over finite fields.
In symmetric encryption, only one secret key is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process.
“By using symmetric encryption algorithms, data is converted to a form that cannot be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original and understandable form. The secret key that the sender and recipient both use could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG).”
Examples of symmetric encryption include the Advanced Encryption Standard (AES) and its predecessor, the Data Encryption Standard (DES).
Quantum Computing and Encryption
There has been much written about how quantum computers will “break” encryption. But when discussing the effects of quantum computing on encryption, it’s important to keep in mind the type of cryptography being discussed.
The primary current concern is asymmetric cryptography. Shor’s algorithm, a quantum technique, can factor large numbers exponentially faster than classical machines. Because asymmetric algorithms like RSA rely heavily on the fact that normal computers can’t find prime factors quickly, they have remained secure for years. Unfortunately, many asymmetric encryption algorithms have been mathematically proven to be broken by quantum computers using Shor’s algorithm, including RSA, Diffie-Hellman and ECC.
Symmetric encryption, on the other hand, or more specifically AES-256, is believed to be quantum-resistant. That means that quantum computers are not expected to be able to reduce the attack time enough to be effective if the key sizes are large enough.
AES is widely being looked at as the solution to quantum computers. AES is a specification for the encryption of electronic data and was created in 2001 by NIST and is also included in the ISO/IEC 18033-3 standard making it an international standard. AES was implemented by the U.S. government to protect information in three categories: Confidential, Secret or Top Secret.
“The main benefit of AES lies in its key length options. The time required to crack an encryption algorithm is directly related to the length of the key used to secure the communication — 128-bit, 192-bit or 256-bit keys. AES-128 uses a 128-bit key length to encrypt and decrypt a block of messages, while AES-192 uses a 192-bit key length and AES-256 a 256-bit key length to encrypt and decrypt messages. Each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128, 192 and 256 bits, respectively.”
Prior to AES’s introduction, the U.S. government used Data Encryption Standard (DES) algorithms. DES was developed in 1975 by IBM and turned into a standard by NIST in 1976. It served as the main protocol for government cryptography until 1999, when researchers broke the algorithm’s 56-bit key using a distributed computer system. As such, AES is exponentially stronger than DES and is also faster, making it ideal for applications, firmware and hardware that require low latency or high throughput.
Quantum Computing vs. Quantum Cryptography vs. Post-Quantum Cryptography
Discussions about encryption and quantum computing often use several related but distinct terms interchangeably. Understanding the differences is important when evaluating long-term security strategy.
Quantum computing refers to the development of computing systems that use quantum mechanics principles such as superposition and entanglement to process information. The concern within cybersecurity is that sufficiently advanced quantum computers could one day impact certain cryptographic algorithms, particularly some asymmetric public-key systems.
Quantum cryptography, by contrast, uses quantum mechanics itself as part of the security mechanism. The most well-known example is Quantum Key Distribution (QKD), which enables two parties to exchange encryption keys in a way that can detect eavesdropping attempts. While promising, quantum cryptography technologies such as QKD currently require specialized infrastructure and are not widely deployed in commercial payment environments.
Post-quantum cryptography (PQC) refers to new cryptographic algorithms designed to resist attacks from both classical and future quantum computers. Unlike quantum cryptography, PQC does not require quantum hardware. Instead, it relies on mathematical problems believed to be resistant to quantum techniques. In recent years, NIST has selected and standardized several post-quantum algorithms intended to replace vulnerable asymmetric key exchange and digital signature systems over time.
For most organizations, including those in the payments industry, the practical focus today is not on deploying quantum cryptography systems, but on maintaining strong symmetric encryption (such as AES-256) and preparing for the eventual integration of post-quantum algorithms where appropriate. This measured approach allows businesses to maintain security today while planning responsibly for future cryptographic evolution.
DES vs. AES in the Payments Industry
DES is still used in the payment industry, with the security limitation of the DES 56-bit key being addressed by implementing Triple DES (TDES or 3DES), officially known as the Triple Data Encryption Algorithm (TDEA or Triple DEA). TDES is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block, producing a more secure encryption.
The payment industry has long relied on TDES, and while it remains approved in certain environments, industry guidance increasingly supports migration to AES due to its stronger key lengths, improved performance and long-term cryptographic resilience.
However, there are significant considerations when switching from DES to AES. AES, like DES, is a block cipher, but AES has larger block and key sizes. Each iteration of the encryption or decryption process works on a block of data; 8 bytes with DES, 16 bytes with AES. AES keys are also different too – while DES/TDES has 8, 16 or 24 bytes, AES key lengths are 16, 24 or 32 bytes.
For many applications, these differences can quickly be accommodated – for example, in TLS, changing the cryptographic algorithms in the underlying cipher suite to use AES is a matter of updating the server and client browser software to accept it.
But in the payment environment, cryptography is performed in devices. To update to AES, every device deployed in the U.S. would need to be replaced or field-upgraded. Considerations also include ATMs, gas pumps and Hardware Security Modules (HSMs), all of which would also need to be updated. And finally, upgrades need to occur to the transaction messaging software to accommodate the larger block size for AES, especially PIN blocks.
For this reason, migration within payment ecosystems is necessarily gradual and coordinated. The transition from TDES to AES is driven not only by evolving cryptographic research, but also by performance considerations, regulatory guidance and long-term infrastructure modernization planning. Quantum computing is one of several forward-looking factors influencing this shift, but it is not the sole driver of change.
The PCI Security Standards Council (SSC) has provided guidance supporting AES adoption and continues to evaluate long-term cryptographic transition planning across the ecosystem.
“The PCI SSC recognizes that the migration to AES is a major effort across the ecosystem and we are reevaluating how best to support this effort. PCI SSC will continue to solicit stakeholder feedback on the progress of migration efforts and the time frames needed for organizations to implement the changes properly. Additionally, PCISSC is preparing an Information Supplement for release in 2021 that will provide detailed guidance on implementing ISO Format 4 PIN Blocks. This Information Supplement will serve as a resource to help organizations understand what an ISO Format 4 PIN block is and why migration is important, as well as provide guidance for migration planning.”
The Council further goes on to say that:
“While both [TDES and AES] are still currently accepted encryption practices, the PCI SSC recommends that entities with environments subject to PCI Standards that require the use of symmetric encryption algorithms migrate to AES as it is a stronger cryptographic algorithm.”
In parallel, standards bodies such as NIST have finalized post-quantum cryptographic standards intended to replace vulnerable asymmetric algorithms over time. Importantly, these developments complement, rather than replace, the continued use of strong symmetric encryption like AES within payment environments.
What Does Quantum Computing Mean for P2PE?
Point-to-point encryption (P2PE) is designed to protect sensitive payment data from the moment it is captured at a payment device through transmission and decryption in a secure environment. In most modern implementations, P2PE relies primarily on strong symmetric encryption algorithms, including AES, combined with secure key management practices.
When discussing encryption and quantum computing, it is important to recognize that the theoretical vulnerabilities most frequently cited apply to certain asymmetric key exchange and digital signature algorithms. Properly implemented symmetric encryption, particularly AES-256, is widely regarded as resistant to known quantum attack models and continues to be recommended by security standards bodies.
In practical terms, this means that PCI-validated P2PE solutions built on modern encryption standards remain secure today. Organizations should focus on ensuring that encryption implementations follow current best practices, use strong key lengths and are supported by robust hardware security modules (HSMs) and secure key management processes.
At the same time, responsible security providers are designing systems with long-term cryptographic agility in mind, meaning the ability to adapt to new standards, including post-quantum cryptographic algorithms, as industry guidance evolves. This measured approach ensures that payment security solutions can continue to protect sensitive data both now and in the future.
For merchants and payment stakeholders, the takeaway is clear: quantum computing does not make P2PE obsolete. Instead, it reinforces the importance of deploying strong, standards-based encryption today while maintaining awareness of future cryptographic developments.
Preparing the Payments Industry for the Future of Encryption
Predictions about when large-scale, cryptographically relevant quantum computers will become viable continue to vary. While research and investment in quantum technologies are accelerating, practical systems capable of threatening modern encryption standards have not yet materialized. In response, security leaders and standards bodies are taking a deliberate, measured approach to long-term cryptographic transition planning.
For the payments industry, the path forward is not reactive, it is strategic. The continued migration from TDES to AES reflects broader modernization efforts centered on stronger key lengths, improved performance and sustained cryptographic resilience. AES-256 remains a foundational component of secure payment environments and is widely regarded as resistant to known quantum attack models when properly implemented.
At the same time, the emergence of standardized post-quantum cryptographic algorithms demonstrates that the industry is preparing thoughtfully for the future replacement of certain asymmetric mechanisms. These developments enhance long-term resilience while reinforcing the importance of strong symmetric encryption today.
Organizations that prioritize cryptographic agility, the ability to adapt to evolving standards without disrupting operations, will be best positioned as encryption frameworks continue to advance. By enabling AES across its Decryptx® P2PE and ShieldConex® platforms, Bluefin has aligned its solutions with both current standards and future transition pathways, helping customers protect sensitive data with confidence.
As conversations around encryption and quantum computing continue, the priority should not be uncertainty, it should be implementation. Deploy strong, standards-based encryption now, maintain visibility into emerging guidance and work with partners committed to long-term security leadership.
Explore how Bluefin’s PCI-validated P2PE and data security platforms support AES-256 encryption and are designed for long-term cryptographic resilience across payment and data environments.
Encryption and Quantum Computing FAQs
What is “harvest now, decrypt later” and should payment organizations be concerned?
“Harvest now, decrypt later” refers to the idea that encrypted data could be intercepted today and stored, with the intention of decrypting it in the future if quantum computing becomes capable of breaking certain cryptographic algorithms. For payment environments, this reinforces the importance of strong encryption, limited data retention and tokenization strategies that minimize stored sensitive data.
Will quantum computing impact TLS and secure web transactions?
Potentially, but primarily in the key exchange portion of TLS that relies on asymmetric cryptography. Security providers and standards bodies are actively developing post-quantum key exchange mechanisms to address this over time. The symmetric encryption used within TLS sessions remains strong when modern key lengths are applied.
Do organizations need to replace existing payment hardware today because of quantum computing?
No. There is no immediate requirement to replace payment infrastructure solely due to quantum computing. Hardware refresh cycles should align with regulatory guidance, AES adoption strategies and long-term modernization plans rather than speculative timelines.
How does tokenization fit into a post-quantum security strategy?
Tokenization reduces the amount of sensitive data that must be encrypted and stored in the first place. By replacing primary account numbers (PANs) with non-sensitive tokens, organizations reduce the impact of any future cryptographic transition and limit exposure to long-term decryption risks.
What is cryptographic agility, and why does it matter?
Cryptographic agility refers to the ability of a system to transition between cryptographic algorithms without requiring a full infrastructure redesign. As standards evolve — including post-quantum algorithms, systems designed with agility can adapt more efficiently, reducing operational risk and disruption.
Are regulators currently mandating post-quantum cryptography in payments?
At this time, regulators are not mandating immediate adoption of post-quantum cryptographic algorithms in payment systems. However, standards bodies such as NIST have begun formalizing post-quantum standards, signaling that future transitions will occur gradually and in a structured manner.
