Insights from ICMC26: PQC Moves from Theory to Operational Reality

The conversation around post-quantum cryptography (PQC) has noticeably evolved. What until recently was treated primarily as a long-term planning topic is now becoming an immediate operational concern for enterprises, governments, financial institutions, and critical infrastructure providers.

That shift was evident throughout this year’s International Cryptographic Module Conference (ICMC26), where discussions focused heavily on the practical realities of PQC adoption: new NIST standards, crypto-agility, certification readiness, interoperability challenges, and the future of secure cryptographic infrastructure.

In this blog, we provide an overview of the key insights from ICMC 2026, which took place in Washington, DC. We also review the findings from an important session on PQC and its impact on the payments sector.

Why ICMC Matters

Unlike broader cybersecurity events, ICMC is dedicated to cryptographic assurance and implementation. It brings together experts working on HSMs, secure key management, and certification frameworks such as FIPS 140-3, Common Criteria, and PCI, making it a key forum for translating PQC from theory into practice.

Utimaco contributed to these discussions through presentations by Manish Upasani, Head of Product Management, and Nils Gerhardt, Chief Technology Officer, highlighting the impact of PQC and AI on payment systems, cryptographic identity, and next-generation HSM architectures.

Key Insights from ICMC

ICMC was a valuable opportunity to bring together industry experts and discuss the latest developments in securing infrastructures against post-quantum threats. Here are the most important insights:

The transition is far more complex than previous cryptographic migrations

Multiple new algorithms, hybrid deployment models, evolving standards, interoperability concerns, and protocol changes are creating significant implementation complexity across industries.

Crypto-agility is a key enabler

Crypto-agility is emerging as a key enabler of PQC migration, allowing organizations to replace cryptographic algorithms without redesigning entire systems. Industry discussions emphasized the need for flexible architectures, hybrid certificates, staged migration strategies, and strong risk analysis.

Payment infrastructure faces unique PQC performance challenges

Larger signatures and additional protocol overhead could impact transaction latency, packet fragmentation, and even interchange economics across EMV, mobile wallets, tokenization, and payment HSM environments.

Policy pressure and the “Harvest Now, Decrypt Later” (HNDL) threat are becoming central drivers of PQC adoption

Increasing regulatory focus on PQC, combined with growing recognition of long-term data confidentiality risks, is pushing the topic beyond technical security teams and into executive- and board-level decision-making.

This aligns with findings from the 2026 Utimaco Digital Trust Report, which highlights PQC and AI-related threats as key strategic concerns for organizations.

Among the risks associated with quantum computing, the exposure of today’s encrypted data is widely viewed as the most critical issue. Notably, 75% of respondents identified HNDL attacks — where encrypted data is collected today with the intention of decrypting it once quantum capabilities mature — as the most urgent threat requiring immediate attention.

The full “2026 Utimaco Digital Trust Report” is available for download here.

Agentic AI is creating new cryptographic identity challenges

As AI agents rapidly outnumber human identities, organizations will face growing pressure around key management, certificates, authentication, and cryptographic governance at machine scale. This is increasing demand for automated, crypto-agile security architectures capable of maintaining integrity and authenticity across rapidly expanding machine ecosystems.

Insights from Utimaco at ICMC

Agentic AI

During his session, Nils Gerhardt focused on agentic AI and the challenges it introduces.

Agentic AI is emerging as a major driver of cryptographic identity innovation, with roughly 80 agent identities per human already in existence — a number expected to grow rapidly. This creates significant challenges for key management across SSO, code signing, TLS, and blockchain systems.

Managing identity at scale will require automation, strong security controls, and crypto-agility, including readiness for post-quantum cryptography, to maintain integrity and authenticity across increasingly complex agent-based environments.

Impact on the Payment Ecosystem and Payment HSMs

Manish Upasani delivered a compelling session on a topic that has so far received limited attention: Post-Quantum Cryptography (PQC) in the payments industry and its impact on payment HSMs.

For the payments sector, the challenge is not limited to cryptography itself, but also includes performance, certification requirements, trust-chain integrity, and the scale of operational change required across the ecosystem.

With PCI PTS HSM v5 expected to mandate PQC readiness, the industry will need to begin preparing for structural shifts across core payment infrastructure.

Where PQC Impacts the Payment Ecosystem

• EMV Contactless
  Card-to-terminal protocols will require PQC-ready key exchange.
• Mobile Wallets
  Tokenization infrastructure requires algorithm agility.
• Backend HSMs
  Issuer and acquirer HSMs must support dual-stack cryptography.
• Remote Key Injection
  Cloud-based key provisioning requires attested PQC-secure channels.
• Performance vs. Latency
  Significantly larger signatures may introduce packet fragmentation and latency concerns.
   

Final Thoughts

A key conclusion from ICMC is that the PQC threat has become a major focus for all stakeholders, including vendors developing mitigation solutions, organizations working to protect critical assets, and regulators incorporating PQC requirements into emerging frameworks.

Utimaco’s Solutions for PQC Era 

Utimaco’s Quantum Protect package enables PQC capabilities on existing u.trust GP HSM Se-Series and u.trust GP HSM CSe-Series hardware, eliminating the need for hardware replacement. The solution supports ML-DSA (FIPS 204), ML-KEM (FIPS 203), and LMS, all of which are NIST CAVP validated and available today and SLH-DSA (FIPS 205) being on the roadmap.
 

Utimaco's Atalla AT1000 Payment HSM protects payment ecosystem. It is a high-performance Payment HSM capable of processing up to 10,000 transactions per second, using multi-tenant architecture. It is compliant with FIPS 140-3 Level 3 and FIPS 140-2 Level 4 (physical design) as well as PCI PTS HSM v4 (application submitted). Supports AES-256 standard and PQC ready ML-DSA providing enhanced security.

About the Author

Peter Czempas

Product Marketing Manager, Utimaco