A Conversation with Fayyaz Makhani, Global Security Architect at VikingCloud

1. Let’s start simple. What is quantum computing?
   It's a fundamentally different way of doing computation. Today's computers use bits that are either a 0 or a 1. Quantum computers use qubits, which can be 0 and 1 at the same time. That sounds strange, but it's what allows quantum systems to work through certain problems in parallel instead of step-by-step.
   
   Here's the nuance, though: quantum isn't universally faster. For your email, your ERP, and your everyday workloads, classical computers are more stable, more efficient, and more practical. Quantum gets interesting in one specific area, and that's math. Certain math problems that underpin modern encryption could be solved by a powerful enough quantum computer, far faster than anything we have today. That's why the payments industry is paying attention. It isn't about replacing payment rails. It's about challenging the assumptions holding up parts of our encryption stack.

2. How does that differ from what runs payment systems today?
   Every payment system in production runs on classical computing. Even the massive, globally distributed, parallelized ones. At the core, every calculation is sequential logic. Our cryptography is built on the idea that some math problems are effectively unsolvable in any reasonable time. Factoring enormous numbers, for example, or solving discrete logarithms. On a classical computer, you'd need more time than the age of the universe. Quantum computing changes that math. For this specific category of problems, quantum algorithms can collapse those timelines dramatically.
   
   So, it isn't a question of "faster computers." It's a question of which problems become solvable at all. And since trust, authentication, and key exchange in payments all depend on those problems staying hard, that's where the implications hit.

3. Does quantum computing exist in production today?
   It exists, but not in a form that threatens anything yet. You can access quantum systems through research labs and some cloud providers. They work. But they're small, noisy, and error-prone. They can run experimental quantum algorithms. They cannot break encryption.
   
   That said, the trajectory matters. Qubit counts are climbing. Error correction is improving. And payment infrastructure has long tails. Terminals, HSMs, embedded crypto modules, certificates, these things stay in service for many years, sometimes ten years or more. Add in the "harvest now, decrypt later" risk, where adversaries capture encrypted data today to decrypt it once quantum matures, and the strategic window starts closing well before the operational threat arrives.
   
   So no, quantum isn't breaking payments today. But it's absolutely something to plan for now.

4. What does a world with both agentic AI and quantum computing look like?
   These operate at different layers, but they'll coexist in the same ecosystem.
   
   Agentic AI is about systems that make decisions and take actions autonomously with limited human oversight. In payments, that could mean automated fraud response, dynamic credit decisions, or self-optimizing transaction routing. Quantum, on the other hand, affects the cryptographic foundation underneath all of that.
   
   Picture a future where financial systems run largely autonomously, making rapid decisions and interacting with other autonomous systems globally. All of that activity still depends on secure identity, authentication, and encryption. If a quantum-capable adversary shows up and your cryptography hasn't kept pace, you now have autonomous systems amplifying the damage of compromised trust. The speed of AI becomes a liability instead of an asset.
   
   So, it isn't quantum versus AI. It's a more automated financial ecosystem that has to be secured with cryptography built for a post-quantum world.

5. Give us a high-level view of cryptography in payments today?
   Payments run on layered cryptography. At the base, symmetric encryption protects transaction data in motion and at rest. Everyone who needs to read the data shares the same secret key. It’s fast, efficient, and built for volume.
   
   The challenge is getting that shared key to the right parties without anyone else intercepting it. That’s where public-key cryptography comes in. It handles key exchange, digital signatures, and authentication. It’s what lets terminals, acquirers, issuers, and networks establish secure channels without pre-sharing secrets. This is the piece that’s quantum-vulnerable.
   
   On top of that, hardware security modules enforce key protection. Tokenization shrinks exposure of primary account numbers. PCI and other frameworks layer in compliance controls. It isn’t one mechanism. It’s a stack of controls designed to preserve confidentiality, integrity, authenticity, and non-repudiation across the payment lifecycle.

6. What are the strengths and weaknesses of current cryptography?
   The biggest strength is maturity. These standards have been stress-tested for decades, they’re globally interoperable, and they’re embedded into every part of the payment stack. Implemented correctly, they hold up extremely well against traditional attacks.
   
   Symmetric encryption, with large enough key sizes, stays strong even against quantum. The weakness sits in the public-key algorithms most of the industry relies on: RSA and elliptic-curve cryptography. Those depend on math problems that are believed to be vulnerable to large-scale quantum algorithms.
   
   Today, that vulnerability is theoretical. If and when quantum systems reach scale and stability, those public-key schemes could be broken in feasible time frames.

7. Can we secure systems against quantum-powered attacks?
   Yes, and the work is already underway. The industry is standardizing quantum-resistant algorithms, often called post-quantum cryptography. These are designed around math problems that are currently hard for both traditional and quantum machines.
   
   Symmetric encryption can also be strengthened by increasing key sizes, which gives it meaningful resilience against quantum-enhanced attacks.
   
   The bigger architectural concept is crypto agility. Your systems should be built so cryptographic algorithms can be swapped out without tearing everything down.
   
   The goal is to move vulnerable public-key mechanisms to quantum-resistant alternatives in a controlled, interoperable, standards-based way.

8. What does it mean to be quantum safe?
   Quantum safe means your cryptographic controls hold up once large-scale quantum computers exist. Practically, that starts with knowing where vulnerable public key algorithms live in your environment. Certificate chains, firmware signing, secure messaging, application layer protocols, all of it.
   
   You validate performance, hardware compatibility, message size constraints, and regulatory alignment along the way.
   
   From there, you migrate those components to vetted, standardized quantum-resistant algorithms.
   
   Quantum safety also includes how you think about data today. Anything sensitive you’re encrypting right now shouldn’t be decryptable later if an adversary captures and stores it. For long-lived datasets, such as corporate data, government data, privacy data, that’s where the urgency comes from. Bottom line: quantum safety is cryptographic resilience against an adversary with quantum capability.

9. What makes the move to a quantum-safe ecosystem so challenging?
   The challenge isn’t the math. The math exists. The challenge is ecosystem-wide migration.
   
   Payment systems are globally interconnected and heavily standardized. When you change cryptographic algorithms, you’re touching terminals, smart cards, HSMs, certificates, APIs, and compliance frameworks, and hardware with long replacement cycles. Many quantum-resistant algorithms also come with larger-key or signature payloads, which creates bandwidth, storage, and processing implications. Legacy systems may not support them without firmware or hardware upgrades.
   
   Then there's coordination. Issuers, acquirers, networks, processors, and vendors all need to move compatibly. A fragmented transition creates its own disruption risk.
   
   So, it's less about inventing something new and more about executing a multi-year, coordinated transformation without breaking the system while you do it.

10. How is the payments ecosystem approaching this?
    Deliberately, and in phases. Standards bodies, card networks, and major financial institutions are running cryptographic inventories to map where vulnerable algorithms live. There's active collaboration to evaluate and standardize quantum-resistant algorithms, and organizations are testing how those algorithms perform in real payment environments. Many institutions are also designing crypto agility into new systems now, so future algorithm changes don't require architectural overhauls.
    
    This isn't an emergency replacement. It's structured modernization. The objective is to finish the transition before quantum becomes a practical threat, while preserving interoperability, compliance, and operational stability along the way.

11. What’s the bottom line for businesses—what should they be doing now to prepare?
    Quantum won't break payments tomorrow. But the infrastructure securing payments today was built long before this threat model existed, and replacing it will take years. The organizations that come out ahead are the ones starting now: taking inventory, building crypto agility into new systems, and planning the migration before the timeline forces their hand.
    
    VikingCloud can help you build a clear roadmap for the quantum transition so your business and your customers stay secure in the next era of payments technology.