Toss Payments, the payment processing arm of fintech company Toss, announced April 3 that it has become the first company in the financial and tech sectors to fully implement Post-Quantum Cryptography (PQC) across its entire infrastructure.
PQC is a next-generation encryption system built on complex mathematical algorithms designed to withstand decryption attempts by quantum computers. Toss Payments has deployed the technology across its proprietary data center and cloud services through Amazon Web Services, including at the payment gateway — the critical interface between merchants and consumers.
When users access the Toss Payments gateway through browsers that support PQC — including Chrome, Edge, Safari and Firefox — the system automatically activates quantum-resistant encryption for all server communications.
The urgency behind the move stems from a growing cybersecurity threat known as “harvest now, decrypt later,” where bad actors stockpile encrypted data today with the intent to crack it once quantum computing becomes widely accessible. Experts project quantum computers could be commercially viable by the mid-2030s, but the threat is considered active now.
To get ahead of it, Toss Payments adopted the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), a NIST-approved standard, to protect sensitive financial data including credit card details and transaction records.
The rollout puts the company roughly a decade ahead of the 2035 government deadline for transitioning critical infrastructure to quantum-resistant encryption. While some banks and cryptocurrency exchanges are exploring PQC in limited capacities, Toss Payments is the first to apply it at full scale across all customer-facing web and API services in the finance and tech sectors.
Chief information security officer at Toss Payments, said the implementation is designed to build long-term confidence among merchants and consumers ahead of the quantum computing era.