Mastercard preps for the post-quantum cybersecurity threat

The ecosystem of digital payments is a sitting duck.

The billions of transactions we conduct online today are protected by what are called public-key encryption technologies. But as quantum computers become more powerful, they will be able to break these cryptographic algorithms. Such a cryptographically relevant quantum computer (CRQC) could deliver a devastating impact to global cybersecurity protocols.

To prepare for this worst-case scenario, Mastercard launched its Quantum Security and Communications project, which earned the company a 2023 US CIO 100 Award for IT innovation and leadership.

“We’re working proactively to mitigate the future risks related to quantum computing that could impact the security of the billions of digital transactions we process globally,” says George Maddaloni, chief technology officer of operations at Mastercard, explaining the impetus for the project.

The post-quantum cybersecurity landscape

As it stands today, the online transactions that you and I conduct swear allegiance to public-key cryptography. In this technique, the person (or entity) sending the message secures (locks) it with a publicly available “key” and the entity at the receiving end decrypts it with a private key. The premise is that since only the receiver has the private key, the transaction is secure.

Secure private keys derive from mathematical algorithms — the Rivest-Shamir-Adleman (RSA) algorithm is a common one — that are impossible to reverse-engineer and hack. At least until a CQRC gets here and does so through sheer brute force of quantum computing.

Entities in the private and public sector are preparing by following one of two tracks: working on a whole new set of quantum-resistant algorithms on which to base the private keys (post-quantum cryptography, PQC) or using quantum physics to do the same (quantum key distribution, QKD). Mastercard’s project focuses on the latter method. Other enterprises in the financial sector are also exploring QKD.

On a parallel track, public institutions such as the National Institute of Standards and Commerce (NIST) are following the “harden-the algorithms” PQC approach. NIST has selected four quantum-resistant algorithms and is in the process of standardizing them. The final ones are expected to be available in the first half of 2024 and NIST has established a quantum-readiness roadmap for enterprises to follow.

The Mastercard project

Given that Mastercard has embraced the quantum key distribution method, its pilot project determined the architectural requirements and limitations of QKD and the operational readiness of the QKD systems.

Mastercard’s Maddaloni reports that the team tested the quantum key distribution solution over a dark fiber network. Toshiba and ID Quantique were used to produce the keys. Two networking vendors that Mastercard has worked with in the past were also brought in. Their input from an IP Ethernet networking perspective helped, Maddaloni says. The goal was to conduct an inventory of the types of networking capabilities within Mastercard’s network, which has thousands of endpoints connected with a few different telecommunications capabilities. “We wanted to look at whether the quantum key distribution capabilities work in that environment,” Maddaloni says.

“The availability of QKD-enabled services and equipment is very specialized and currently quite limited,” Maddaloni says. “Not many hardware vendors have features available that can integrate with the QKD systems.” Designing the test was also challenging. QKD requires individual photons to arrive at precise times, and quantum states used for encryption can be easily disturbed by external factors such as noise, temperature changes, and vibration, among other factors.

“The project was designed to meet these challenges and deliver provable results and validation of the technology potential,” Maddaloni adds. And it was successful.

The great migration

Questions of cybersecurity like the ones Mastercard is addressing are key because they address the very foundation of the system that financial institutions have built.

“Transaction security and the trust of our customers are the backbone of our business,” Maddaloni points out. “The impact of current PKI encryption methods being compromised could quite literally threaten our ability to operate securely,” he adds. “We believe being ready for a post-quantum landscape is part of our job and sends the right message to our partners, our customers, and our regulators.”

Jeff Miller, CIO and senior vice president of IT and Security at Quantinuum, a full-stack quantum services company, agrees that protecting data is vital because “it’s a conversation of trust with the consumer.” The process of being crypto-agile is realizing that bad actors get more creative in the ways that they break into environments. As a result, enterprises must continue to build an iterative process and develop protocols to address these vulnerabilities.

While financial companies such as Mastercard are gearing up using their own pilot projects, the industry standards committee X9 is also working on guidance for enterprises in the financial sector, points out Dr. Dustin Moody, a mathematician who leads the post-quantum cryptography project at the National Institute of Standards and Technology (NIST).

The road ahead is not easy, the experts admit. “The availability of quantum key distribution services and equipment is still very limited. Some of the hardware vendors we worked with have features that are just announced and very new in the market, and some haven’t even been generally made available,” Maddaloni points out. “I do think that the industry understands that financial services will need this capability in the future.”

Moody advises companies to hone their post-quantum readiness despite what might look like a daunting landscape. The first order of business? “You need to find all instances of public-key cryptography, which is tricky and it will take time to do that inventory,” Moody says. “It’s gonna be a complex migration that will take time,” he says, “so we encourage organizations to get ahead of it as soon as they can.”

Miller agrees. He likens the process to preparing for Y2K, when enterprises were worried about formatting and storage of information beyond the year 2000. The migration to post-quantum preparedness even has a similar catchy acronym: Y2Q. A key difference, Miller says, is that there was a fixed countdown clock to Y2K. The cryptographically relevant quantum computer is not here today but it could be five years from now. Or ten.

“Knowing that we don’t have a firm date for when our current encryption methodologies are no longer useful,” Miller says, “that’s what keeps me awake at night.”