Future-proofing the CDE: Crypto-agility, AES migration, and the post-quantum roadmap to 2030

Google and IBM are racing each other, alongside several state-backed competitors, to build a quantum computer powerful enough to break the cryptography on which among others the Payment Industry runs as well: cardholder data, digital signatures, HSMs, ATMs, POS terminals, certificates and the trust relationships between merchants, acquirers, issuers and service providers. Some of the algorithms protecting all of this may become ineffective within the next decade. For payment organisations, this is no longer a distant science project. It is a practical PCI, resilience and infrastructure challenge.

It is also why the “Harvest Now, Decrypt Later” model matters today rather than tomorrow. Encrypted data exfiltrated now can sit in an adversary's archive until a quantum computer is ready to break it. Card expiry dates do not close this exposure: card numbers are reissued across multiple renewals, and transaction archives are retained for years under regulatory mandate. The exposure window is the lifetime of the data, not the lifetime of the card.

This conversation is not waiting for 2030. The PCI SSC's 2025 Annual Report confirms that PCI PTS HSM, the standard governing the hardware security modules at the heart of every payment estate, completed its second Request for Comment in December 2025. Whether version 5.0 will require quantum-resistant capability, and on what timeline, is one of the questions this session sets out to explore.

In this webinar, Richard Ford, CTO is joined by Martin Petrov, CTO - PCI to explore what the post-quantum transition means for PCI environments, payment systems and long-term cyber resilience.

Drawing on developments from NIST, the PCI Security Standards Council and European regulatory initiatives, the session moves beyond the hype of “new algorithms” and focuses on the harder question: can your organisation find, replace and govern cryptography across the cardholder data environment before the transition becomes urgent? 

Cryptography is not only in software. It is embedded in phones, HSMs, ATMs, PIN entry devices and payment terminals, many of which cannot be quantum-hardened through a firmware update. Where the cryptography lives in silicon, the silicon itself has to be replaced. The session provides a practical roadmap covering cryptographic inventories, vendor challenge questions, hybrid deployment models, hardware refresh considerations, and alignment with PCI DSS v4.0.1 requirements and future audit expectations.

Join us for a strategic and technically grounded discussion on how to future-proof your cryptographic environment before today's technical debt becomes tomorrow's compliance and security crisis.

What you will learn:

• Why quantum computing has become a practical risk for payment and PCI environments

• Why adopting a post-quantum algorithm is not the same as true crypto-agility

• How “Harvest Now, Decrypt Later” changes the risk timeline for sensitive data, even when card numbers expire

• How to identify cryptographic technical debt across software, hardware and vendors

• Practical approaches to hybrid classical and quantum-resistant environments

• How PCI DSS, DORA and EU expectations are shaping post-quantum readiness

• What assessors and QSAs may expect from readiness programmes by 2030