What we do
TCS Research
TCS Research: Inventing to build sustainable futures
Highlights
- Financial market infrastructures (FMIs) are the backbone of the financial system and must remain secure, resilient and adaptable as technologies and markets evolve. The continued global rise of digital payments is placing increasing demands on existing infrastructures.
- While quantum technology promises greater efficiency and greater computational power, it also introduces new operational and cyber risks.
- While FMI systems rely heavily on cryptography, quantum attacks could swiftly defeat the encryption protecting current payment messages, account authentication, and transaction signatures.
- The National Institute of Standards and Technology’s (NIST ) post-quantum standards offer a foundation for enterprises to stay resilient, but they must also build crypto-agile systems to be future-ready.
- For a successful post-quantum cryptography (PQC) migration, enterprises must identify high-risk areas, prioritise remediation efforts, select optimal solutions, and plan for immediate quantum readiness.
On this page
On this pageinpage
HOW FMIs ARE SECURED TODAY
As digital payments continue to grow globally, ensuring the cyber resilience of financial market infrastructures (FMIs) is vital to safeguarding the stability of financial and payment systems. Core infrastructures such as Real Time Gross Settlement (RTGS), Automated Clearing House (ACH), cross-border payments, instant payments, and Central Bank Digital Currencies (CBDCs) must meet high cyber- resilience standards to preserve trust and security, consistent with the Committee on Payments and Market Infrastructures (CPMI) and International Organization of Securities Commissions (IOSCO) guidance.
While security encompasses multiple dimensions, one essential element is protecting participant privacy and transaction integrity by encrypting payment messages transmitted to and from the system. Equally important are strong authentication mechanisms to ensure that only authorised parties can access or initiate transactions, and non-repudiation controls that prevent participants from denying the validity of their actions within the payments system.
For example, payment networks (such as SWIFT or an RTGS system) digitally sign messages and use encryption to prevent fraud and tampering. Central bank systems often use Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) based Public Key Infrastructure (PKI) for encryption, authenticate member banks and signing of critical messages. Traditional cryptography relies on mathematical problems that are computationally difficult to solve using classical computers. This protects access to systems and data by making decryption practically impossible without the appropriate keys.
THE QUANTUM THREAT TO FMI SECURITY
Quantum computing has evolved from academic research to having real-world implications for businesses. It now represents a transformative advance in computational capabilities, posing an existential threat to the current cryptographic algorithms.
In the pre-quantum era, breaking RSA-2048 encryption was considered infeasible, with estimates suggesting it would take billions of years to do so using classical computing. However, a quantum computer with around one million qubits running Shor’s algorithm could potentially crack it within hours to days.
Quantum computing advances have prompted financial market infrastructure to act urgently, with the term Y2Q or Years to Quantum marking the countdown to when quantum computers could break classical cryptographic encryption.
WHY POST QUANTUM CRYPTO-AGILITY MATTERSS
The security assumptions underlying payment messages (RSA, ECC) will no longer hold in the face of quantum computing. Quantum-based cyberattacks could swiftly defeat current cryptography, one of the main defences protecting payment messages, account authentication, and transaction signatures.
This is not a distant hypothetical concern — it has immediate implications via the “harvest now, decrypt later” (HNDL) tactic: Cybercriminals and other adversaries are already capturing encrypted data and stored records today, planning to decrypt them once quantum decryption becomes possible.
This can erode trust in our payment ecosystem providers, including central banks, payment system operators (PSOs), issuing/acquiring banks, payment gateways/processors, and fintech and payment service providers. Organisations across the payment ecosystem that fail to act swiftly may risk undermining customer trust and facing regulatory compliance issues. Therefore, we advise developing a roadmap to assess risk, prioritise remediation, and transition to quantum-resilient systems.
HOW STANDARDS ARE SHAPING A QUANTUM RESILIENT FUTURE
The NIST has finalised its first set of post-quantum cryptography algorithms and established timelines to transition to the new standards. Existing algorithms such as the elliptic curve digital signature algorithm (ECDSA), the Edwards-curve digital signature algorithm (EdDSA), and the RSA will be deprecated by 2030 and then disallowed by 2035.
The regulatory body has also formally standardised quantum-safe algorithms. ML-KEM-Kyber enables key encapsulation for secure data transmission, while ML-DSA-Dilithium and FN-DSA-FALCON provide digital signatures for identity verification. And SH-DSA Sphincs is designed to offer stateless, hash-based signatures for long-term security uses, such as ensuring the integrity of backup data.
Central banks and regulators (BIS, G7 Cyber Experts Group, etc.) are actively researching and piloting Post-Quantum Cryptography (PQC) methods to protect financial systems against upcoming attacks, which threaten to disrupt payment networks. Initiatives like Project Leap by the Bank for International Settlements and the Banque de France have successfully tested quantum-resilient algorithms for financial data transmission. This strong momentum means payment operators and banks will likely face compliance requirements to demonstrate readiness and agility in deploying PQC solutions.
Legacy Constraints and Ecosystem Risks in Quantum Transition
One of the first hurdles is simply identifying everywhere RSA/ECC is used. Central banks, large banks, and payment systems have decades of legacy applications, protocols, and devices, such as Hardware Security Modules (HSMs), Automated Teller Machines (ATMs), point-of-sale units, and smart cards, that rely on classical crypto. Limited cryptographic visibility in legacy systems can impede planning. Firms must create an exhaustive inventory of algorithms, keys, and certificates in use – often referred to as a ‘Cryptographic Bill of Materials (CBOM)’ – to understand what needs upgrading. Without this, there’s a risk of missing weak links.
The other hurdle is that financial infrastructure ecosystems are complex, involving heterogeneous vendors and numerous participants. Cryptographic upgrade coordination and interoperability must be maintained at each step, meaning everyone must agree on standards (which post quantum cryptography algorithms to use, parameter settings, etc.) and timing. Cross-border systems add further complexity: different jurisdictions might move at different paces. Ensuring that, say, a US bank and an EU bank can still communicate securely during the transition requires meticulous coordination. Additionally, supply chain dependencies (hardware security modules, software libraries, cloud services) need alignment; organisations depend on their vendors to support post-quantum cryptography in products and updates. There is a need for regulators, SIG, or a consortium to provide recommendations/guidelines to banks on this.
Migration Barriers for PQC Transition
Transitioning the financial market infrastructures to cryptography is a massive undertaking, with multiple migration barriers to navigate:
Performance and latency impact: New algorithms generally have larger key and signature sizes and higher computational costs, which can be challenging for latency-sensitive “real-time” systems that can’t tolerate much overhead.
Operational continuity: Updating cryptography in systems that run 24/7, like core banking or payment clearance, is non-trivial. Coordinating these changes without breaking authentication or failing compliance checks is a logistical challenge.
Compliance and governance: Regulators may require evidence of progress (e.g. completion of crypto inventories, risk assessments, and migration plans). Firms will be under regulatory scrutiny during this transition; without strong coordination across teams and management support, the migration could falter.
Key management and infrastructure upgrades: Replacing RSA/ECC with post-quantum cryptography also means upgrading the surrounding infrastructure (PKI, key management systems, HSM). Planning these upgrades or replacements is a challenge given their centrality and cost.
Technology maturity and support: Ensuring secure, validated implementations of post-quantum cryptography across software libraries, protocols, and hardware is crucial. Moreover, some standards are still evolving; early adopters must grapple with these uncertainties and may need to update their solutions as standards finalise.
FOCUS AREAS FOR PQC MIGRATION
To address these challenges and barriers and strengthen resilience, we recommend implementing an enterprise cryptography module based on a hybrid architecture that enables quantum-resilient algorithms to run alongside traditional ones.
This design will address two key objectives:
- Cryptographic agility, the ability to evolve and replace cryptographic algorithms as new standards emerge without redesigning the entire system.
- Scalability, since cryptographic operations are resource-intensive, microservices could be scaled independently to meet performance demands, minimising the impact on the rest of the settlement engine. A hybrid architecture enables quantum-resilient algorithms to run alongside traditional ones.
Organisations must architect their systems to be flexible, changing the engine in flight and might have to do so again if new discoveries arise.
It is now evident that with growing threats, FI’s Cryptographic agility is a key to flexibility, helping payment systems protect data, ensure compliance, and maintain business continuity. Those who future-proof their cryptographic services in payment systems today will gain a critical competitive advantage tomorrow.
PQC Framework for FMIs
By decoupling cryptographic services from the core payment systems logic, financial market infrastructure systems can become more secure, resilient and adaptable.
Flexibility and crypto-agility could be embedded in the foundation of each payment system, but this introduces operational complexity and performance trade-offs. Looking forward, key design questions for next-generation FMIs could include how to balance flexibility with complexity, how to scale without compromising resilience and how to prepare for quantum-era risks without undermining today’s reliability and trust. As post-quantum cryptography standards and operational frameworks mature, coordinated progress across technology, regulation, and governance will be essential to ensure that next-generation infrastructures remain both secure and adaptable. Governance embedded in the framework is a key factor in involving multiple teams across payments to communicate and manage people, processes, and platforms clearly.
This isolation of specific business functions and technical functionalities, such as cryptography, allows resource-intensive functions to be scaled without affecting other components, while also simplifying upgrades, maintenance and system evolution.
THE WAY FORWARD
For the financial industry, this is not a technology upgrade; it is a strategic risk‑management imperative. The transition will require early action, sustained governance, and industry‑wide coordination, including full visibility of cryptographic dependencies, phased infrastructure upgrades, and global interoperability. Regulatory and governmental directives already support this shift, with industry roadmaps targeting the completion of core migrations by around 2030, well ahead of the expected arrival of quantum computers with cryptographic relevance.
Institutions that act now, adopting a phased and crypto‑agile approach, will steadily reduce quantum‑related risk while avoiding disruptive, last‑minute change. Proactive measures, such as hybrid deployments, rigorous testing, and cross‑industry collaboration, will ensure that financial market infrastructures remain secure, resilient, and trusted as the quantum era approaches.
At TCS, we support financial market infrastructures and financial institutions as they prepare for the post‑quantum future. Our PQC framework for FMIs provides a structured path to protect system integrity, strengthen resilience, and ensure long‑term trust in critical financial infrastructure.
Figure 1: Quantum ready cryptography for FMIs