FOR PAYMENT NETWORK SECURITY ARCHITECTS
Post-quantum encryption for payment network infrastructure
Card scheme HSMs, PIN processing, and network-wide zone key distribution are the attack surface that quantum computers will target first. CQ1 secures the full cryptographic stack before that window opens.
USE CASES
CQ1 in payment network architecture
Card authorization HSM replacement
CQ1 replaces Thales and Entrust HSMs in card authorization flows via PKCS#11 drop-in. Post-quantum key diversification for EMV chip keys, PVV computation, and 3DS authentication — all without changes to authorization application code.
PIN processing
PIN encryption keys (PEK/ZPK) and PIN verification values are generated and stored inside CQ1's tamper boundary. Kyber-1024 key encapsulation secures key exchange with PIN entry devices and acquiring banks. Classical 3DES PIN blocks decrypt correctly for backward compatibility.
Zone key distribution
Secure zone key distribution between acquirers, switches, and issuers via Kyber-1024 key encapsulation. The hybrid X25519+Kyber-1024 mode maintains backward compatibility with classical participants while upgrading the cryptographic strength of key distribution sessions.
Network-level TLS upgrade
TLS 1.3 with Kyber-1024 hybrid key agreement for all inter-node network sessions. JCA/JCE provider enables Java-based payment gateway software to negotiate post-quantum TLS without code changes — just provider configuration.