Enhancing Payment Gateway Security Through a Post-Quantum Cryptography Migration Framework

Abstract

Payment gateways are the critical cryptographic chokepoints of the global digital economy, yet the RSA, ECDSA, and ECDH primitives securing them are susceptible to Shor’s algorithm on a cryptographically relevant quantum computer (CRQC). This paper presents the Enhanced Payment Gateway Post-Quantum Migration Framework (EPQMF), a structured seven-phase methodology designed to guide payment service providers and financial institutions through a comprehensive, risk-managed transition to NIST-standardised post-quantum cryptography (PQC). The framework spans the complete migration lifecycle: automated cryptographic asset discovery and quantum risk classification; hybrid classical/PQC architecture design incorporating ML-KEM-768 and ML-DSA-65; phased production rollout using blue-green deployment and dual-certificate strategies; hardware security module (HSM) compatibility planning; and long-term cryptographic agility governance. Empirical performance evaluations demonstrate that ML-KEM-768 introduces TLS 1.3 handshake overhead of 1.4–2.2 ms — within real-time payment SLA tolerances — while ML-DSA-65 signing requires HSM horizontal scaling for high-frequency workloads. The HARVEST NOW, DECRYPT LATER (HNDL) threat model is addressed as the primary migration driver, establishing that migration must commence immediately regardless of CRQC timeline uncertainty. Regulatory alignment with PCI DSS v4.0, ISO/IEC 27001:2022, and the EU Digital Operational Resilience Act (DORA) is embedded across all framework phases. The EPQMF provides practitioners with a standards-grounded, operationally validated migration pathway achievable within a 9-month deployment horizon.