Beyond PQC and AI: What's in Store for Payment Security in 2030–2035

[Good Carder]

Prologue: Five Tectonic Shifts That Will Rewrite the Rules of the Game​

Payment security is entering an era that could be called the final battle for trust. Security will no longer be built around a single barrier — card or password verification. Instead, every payment will be the result of continuous analysis of hundreds of signals, continuous identity verification, and cryptography that even a quantum computer can't break.

However, these improvements are only one side of the coin. Fraudsters are also on the move: AI, deepfakes, and attacks on 5G networks are becoming accessible to any hacker. The arms race is moving to a new level, pitting algorithm against algorithm, with humans increasingly remaining in the role of observer.

Part 1. Post-quantum reality: replacing TLS, digital signatures, and PKI algorithms​

1.1 Why it's necessary: the threat of a quantum computer​

If you encrypt your data today and use asymmetric cryptography (RSA, ECDSA, ECDH), a quantum computer could decrypt it in 5-10 years. This isn't a theoretical fear — NIST, CISA, and the NSA constantly emphasize that the risk is already real. The threat of "Harvest Now, Decrypt Later" could render all current encryption measures meaningless.

In the fall of 2024, the US National Institute of Standards and Technology (NIST) did what had been anticipated for years: it approved the first three post-quantum cryptography (PQC) standards — FIPS 203, 204, and 205. They include:

• FIPS 203 (ML-KEM) is a key encapsulation algorithm that replaces RSA and ECDH for secure key exchange.
• FIPS 204 (ML-DSA) is a lattice-based digital signature algorithm designed to replace ECDSA and RSA-PSS.
• FIPS 205 (SLH-DSA) is a stateless hash signature algorithm that provides an additional security margin for long-term transactions that need to be protected for decades.

These algorithms have become a global standard, and the transition to them can no longer be ignored.

1.2. Regulatory Requirements: Plan to 2035​

If you work in the financial sector, transitioning to PQC is not an option, but a mandatory requirement. The deadlines are becoming more stringent:

• European Union: By 2030, high-risk financial systems (SWIFT, SEPA, clearing and settlement systems) should complete the transition to post-quantum cryptography.
• US: NIST, CISA and NSA urge immediate transition planning, encouraging hybrid (classic + PQC) solutions.
• G7 countries: In January 2026, the G7 Cyber Expert Group published a coordinated roadmap for the financial sector with a transition plan for 2030–2035.

The transition to PQC is not a software replacement, but a fundamental change in security architecture that will take years.

1.3. Crypto-Agility: A Survival Skill​

For financial institutions, this means that passive waiting is no longer an option. PQC implementation should begin with a complete inventory of cryptographic assets: where and what encryption and signature algorithms are used, how keys are managed, and what data will be stored for longer than 5–10 years.

Ideally, the system should be designed so that encryption algorithms can be replaced without disrupting business processes. This is the architectural principle of crypto agility — it could be the key differentiator between survivors and losers in the 2030s.

Part 2. Ditching Passwords: WebAuthn, Passkeys, and Biometrics​

While some engineers are battling the quantum threat, others are tackling a more mundane but no less important problem: passwords are finally dying.

2.1. Reality 2026: Five Billion Passkeys and a Strategic Transition​

In May 2026, on World Passkey Day, the FIDO Alliance announced that 5 billion passkeys were actively used globally. The technology is operational across major platforms, and 68% of companies have already implemented or are implementing passkeys for employees. Moreover, 82% of organizations cite a complete transition to passwordless authentication as a strategic goal.

2.2. PSD3/PSR: A Regulatory Trigger for Europe​

However, the main drivers in 2026 are regulators. PSD2 is being replaced by PSD3 and the Payment Services Regulation (PSR). The first wave of implementation of most SCA requirements is expected in late 2026 or early 2027. PSD3 allows for the use of two biometric factors, provided they are independent, while the PSR establishes general rules for ensuring "strong payer authentication" (SCA), requiring at least two independent factors.

2.3. Barrier and incentive​

Despite this progress, 76% of organizations still rely on passwords as their primary authentication method, and only 43% have implemented some form of passwordless login.

Cyber insurers have received a major incentive: they are reducing premiums by 15-30% for organizations that have implemented FIDO2. Insurers have realized that companies with passwords have significantly fewer incidents and losses.

Part 3. AI agents automating defense​

The main trend in the work of security operations centers (SOC) in 2026 is total automation.

3.1 The Human Scaling Problem​

A modern SOC receives approximately 10,000 alerts per day, each requiring 20 to 40 minutes of investigation. Properly processing 2,000 alerts per day at the standard 20-minute timeframe would require 152 full-time analysts.

3.2. AI SOC Implementation Figures​

Ninety-four percent of organizations already use AI in their SOCs in some form. Financial institutions that have implemented AI SOCs demonstrate impressive results: mean time to response (MTTR) is reduced from one day to 14 minutes, mean time to detection (MTTI) is reduced from hours to minutes, and over 90% of alerts are investigated automatically.

3.3. Future Competencies: AI and Model Retraining​

Gartner predicts that by 2028, AI will automate more than 50% of L1 analyst tasks. Today, more than 64% of cybersecurity jobs require AI and machine learning skills.

The financial institution of the future is not just a bank, but a high-tech platform where AI agents investigate and block attacks day and night.

Part 4. Fraud Forecast: Voice Synthesis, Real-Time Video Fakery​

As defenses become smarter, attacks become more sophisticated. The next wave of fraud is already here, and it's based on real-time voice synthesis and deepfakes.

4.1. Voice as a New Attack Vector​

Entrust's 2026 report, for example, found that one in five biometric fraud attempts involves deepfakes, and injection attacks have increased by 40% compared to last year. Thirty percent of businesses will no longer consider facial verification reliable in isolation.

Voice phishing and deepfake calls are becoming commonplace. One in four Americans reports receiving a deepfake call in the past 12 months. Another 24% aren't confident they could distinguish it from the real thing.

In March 2026, a major Hong Kong bank lost $25 million during a fake video conference in which all participants were AI-generated.

4.2. Deepfake KYC and the Darknet​

Ready-made tools that bypass identity verification and use real-time voice synthesis are sold on the darknet. Fraudsters can create a fake ID, generate a corresponding deepfake profile, and complete the entire remote verification process without leaving their room.

4.3. Real-life incidents: from theory to practice​

In 2026, Seqrite recorded a sharp increase in AI attacks on Indian financial institutions using synthetic video, voice, and image manipulation.

4.4. 5G/6G – The New Battlefield​

5G/6G networks are creating new opportunities for hackers. SMS blasters and IMSI catchers (fake cell towers) are becoming readily available weapons for creating fake networks and intercepting SMS-based two-factor authentication. Hackers are exploiting the weaknesses of insufficiently protected 5G network slices to gain unauthorized access and conduct sophisticated financial attacks.

Part 5. Preparing for a New Paradigm: Crypto-Agility, Continuous Verification, Zero Trust​

So, the payment security world of 2030–2035 will be radically different from today. To survive and thrive in this environment, fundamental approaches must be rebuilt.

5.1. Crypto-flexibility​

Your systems must be capable of changing encryption and signature algorithms on the fly, without rewriting code or incurring significant downtime. The next cryptographic migration will happen much faster — and your preparedness will impact not only your clients' data but also their trust in you as a financial institution.

5.2. Continuous Verification​

Trust will no longer be established at a single point (at login). Zero Trust is not a marketing term, but a strict architecture: no request is accepted until it passes a real-time multi-factor analysis. Every user action is not subject to identity verification based on indirect evidence.

5.3. AI as a Double-Edged Sword​

Fraudsters are using AI to automate attacks, generate deepfakes, and bypass KYC. The only adequate response is to create defensive AI models that analyze the same behavior in real time.

Part 6. End-to-end checklist: preparing payment security for 2030​

This checklist is your tool for assessing your current state and creating a plan for the next 5 years.

Part A: Post-Quantum Cryptography (PQC) & PKI

• We have completed an inventory of cryptographic assets (all used algorithms, libraries, certificates, their purpose and criticality).
• We conducted an audit of long-term data storage (archives, backups) and determined which data requires PQC protection from the "collect now - decrypt later" attack.
• We have developed a roadmap for the transition to hybrid solutions (classical + post-quantum cryptography) for high-risk systems.
• We created a centralized key storage and key lifecycle management system (KMS), allowing keys to be replaced without interrupting services.
• A budget has been established for updating cryptographic libraries and protocols.

Part B. Passwordless Authentication and PSD3

• We developed a roadmap for the transition to passkeys (FIDO2/WebAuthn) for different user groups.
• We tested a seamless user experience with passkeys on different devices.
• We have documented procedures for restoring access in the event of loss of a device with a passkey.
• Enabled two-factor biometric authentication for high-risk financial transactions.
• We ensure that your plans comply with PSD3 and PSR requirements (SCA, Extended Authentication, Open Banking APIs).

Part C. AI Agents, Deepfake Detection, and Monitoring

• We trained an AI SOC model on your own data (historical logs and incidents).
• We integrated deepfake detection tools (voice and video) into verification processes and the call center.
• We have implemented a 5G/6G network anomaly monitoring system to identify SMS blasters and fake towers.
• Staff trained to recognize voice deepfakes (compliance and anti-fraud departments).
• We developed a Zero Trust continuous verification policy that includes behavioral biometrics.

Conclusion: A race without a finish line​

The future of payment security is not a fortified fortress, but a continuous arms race between algorithms and criminal AI. Banks, fintech companies, and regulators are beginning to understand that the static rules of the past will not win the battle. The new paradigm requires:

• Crypto-agility - the ability to survive not one, but many encryption migrations.
• Continuous verification - Zero Trust, where every payment is confirmed by hundreds of invisible signals.
• Adaptive AI Defender - AI that learns from attacks faster than an AI hacker adapts to defense.

2035 is just around the corner. Those who begin building this architecture today will gain a decisive advantage. Those who don't risk becoming hostages to their own past. Choose: build or play catch-up?