Banking solutions
Read →
Banking
Banking & harvest-now-decrypt-later
Transaction archives and wire audit logs with 7–25 year shelf-life create present-day HNDL exposure when migration takes years.
Framework
Financial data shelf-life and crypto agility
Deadline: PCI-DSS 4.0 ongoing
Executive summary
Regional banks and payment processors hold transaction archives, M&A diligence, and core banking backups with multi-year to multi-decade confidentiality requirements. HNDL means ciphertext copied today — via breach, backup exfiltration, or cloud misconfiguration — may be decryptable before migration completes.
Data shelf-life by banking data class
| Data class | Typical X (years) | Primary harvest path |
|---|---|---|
| Wire transfer archives | 7–15 | Backup exfiltration |
| M&A diligence | 10–25 | Data room copies |
| Core banking backups | 15+ | Ransomware |
| API / cardholder logs | 3–7 | Cloud misconfig |
PCI-DSS 4.0 and crypto agility
PCI-DSS 4.0 requires knowing what cryptography protects cardholder data and demonstrating agility. Qtangl maps TLS, JWKS, and STARTTLS findings to PCI-DSS 4.0 controls with signed evidence.
Mosca worked example (regional bank)
- X = 15 years (transaction archive retention)
- Y = 6 years (realistic migration runway)
- Z = 10 years (industry quantum timeline estimate)
X + Y = 21 > Z → HNDL exposure today
Collection vectors for financial services
- Ransomware exfiltration — backup appliances and file shares
- Long-term tape/S3 archives — encrypted with RSA/ECIES envelopes
- Third-party processor copies — BAU data flows with quantum-vulnerable TLS
- Bulk transit capture — TLS handshakes on payment API traffic
Qtangl mapping
- Bank TLS inventory scenario
- Mosca HNDL scoring on financial data classes
- CBOM export for QSA and internal audit
- Monitor drift between assessment cycles
Inventory aid — not PCI attestation.
90-day plan
- Baseline external TLS + JWKS scan
- Tag findings by data shelf-life tier
- Export CBOM for GRC
- Pilot hybrid TLS on API gateway
Qtangl mapping
- Bank TLS inventory scenario with HNDL scoring
- PCI-DSS 4.0 control mapping in compliance pack
- CBOM export for GRC integration
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-04
- What Is Post-Quantum Cryptography?NIST · 2024Official overview of NIST's PQC project, finalized standards, and the harvest-now-decrypt-later threat model.
- NIST IR 8547: Transition to Post-Quantum Cryptography StandardsNIST · 2024Federal transition guidance with deprecation timelines for quantum-vulnerable algorithms.
- Quantum Threat Timeline Report (Mosca inequality)Global Risk Institute · 2023Dr. Michele Mosca's X + Y > Z framework for harvest-now-decrypt-later exposure planning.
Try it