When Quantum Meets Retail And Fiscalization

Darko Pavic, Founder & CEO of Fiscal Solutions, Retail Technology & Global Fiscalization Expert with 28+ Years of Experience.

getty

​Huge changes are on the horizon in computing. Artificial intelligence has already transformed the technology agenda, but another shift is now moving from research labs to business reality: quantum computing.

At a simple level, quantum computing can be imagined as a dramatic leap in processing power. According to some of the first scientific reports published on the topic, quantum computers will be able to operate far beyond classical systems when it comes to certain tasks. And this is only the beginning.

Google CEO Sundar Pichai said at the World Governments Summit in Dubai that quantum computing is roughly where AI was 10 years ago. He said it could become practically useful within the next five to 10 years. At the same time, Google’s head of quantum, Hartmut Neven, said that Google is aiming to launch quantum computing applications within the next five years.

The obvious question is: What could this mean for retail and, in particular, for fiscalization, the local compliance rules that tell retailers how transactions must be handled?

Fiscalization exists to reduce VAT fraud. That means it's concerned with manipulation, trust and evidence. And this is exactly why quantum computing matters. It does not change the legal purpose of fiscalization, but it could change the reliability of the technical controls on which fiscalization depends.

Across the primary fiscalization models most companies use, the same pattern appears again and again: Retail fiscalization relies on a trust layer built from digital signatures, certificates, secure devices, encrypted transmission, QR-based verification and long-term audit evidence.

The highest-risk area is public-key cryptography: digital signatures, certificate chains, device certificates and PKI-based authentication. The public-key algorithms used today for key establishment and digital signatures are the ones that must be replaced with post-quantum cryptography. NIST, for example, already released three finalized post-quantum encryption standards.

There are five primary areas exposed by this new reality. The first is transactions. Many fiscal regimes rely on a digital signature to prove that a receipt, journal entry or invoice has not been altered. If quantum-capable attacks break the underlying PKI, inauthentic receipts or invoices can become a real risk.

The second exposed area is device identity and trusted POS. Many fiscalization systems question the trust of the document itself, but they also have to vet the device that issued it and whether that device is a cash register, fiscal printer, signature device or another certified endpoint approved by the government. If quantum breaks device certificates, the risk expands from a fake document to a fake compliant device or rogue software pretending to be an approved fiscal endpoint.

The third exposed area is secure transmission to tax authorities. Modern fiscal systems increasingly depend on near-real-time or clearance-style transmission. The risk here is partly about signatures and partly about encrypted channels and API authentication. Future quantum computing could break current algorithms. The U.K. NCSC has published a road map that targets discovery by 2028 and full migration by 2035.

A fourth area is long-term archive confidentiality and evidentiary value. Fiscal data must often be retained for years. That creates the classic “harvest now, decrypt later” problem. Even if an attacker cannot break protected data today, encrypted archives or captured traffic could be decrypted later when quantum capabilities improve.

A fifth area is QR code and offline verification. Many fiscal regimes expose trust directly to the consumer or auditor through QR codes and verification payloads. Quantum does not make QR codes obsolete, but if the verification ultimately depends on a broken signature chain, the QR loses legal value. At the same time, post-quantum signatures and certificates are usually larger. That can increase payload size, bandwidth, latency and implementation complexity.

Not every fiscal control is equally threatened. Sequential counters, tamper-evident logs, hash chains and sufficiently strong symmetric cryptography are less directly exposed than RSA- or ECC-based trust layers. The practical weakness in most fiscal systems is, therefore, not the counter or the local chain by itself. It is the public-key signature, certificate or key-exchange layer wrapped around it.

There is, however, a positive side. Quantum pressure could force fiscalization architectures to become more professional. Systems will need crypto-agility: the ability to change algorithms, certificates, trust anchors and validation rules without replacing the entire POS estate. That is good architecture regardless of quantum. In practice, it means a cleaner separation between business logic and the fiscal trust layer.

The negative side is more immediate. If migration is late, a country could end up with a fiscal system that still works operationally but whose trust anchor is broken. That is more than a normal IT weakness. Fiscalization often serves as legal evidence in audits, disputes and tax enforcement. A compromised signature regime, therefore, creates not only cyber risk but also legal uncertainty.

There is also the question of cost. Post-quantum schemes are usually accompanied by larger keys, larger signatures or ciphertext, and sometimes slower verification. In fiscalization, that can create real pain.

For international retailers and POS vendors, the challenge becomes even larger. They will not face one migration, but many: different authorities, different certification bodies, different device life cycles, different APIs and different legal transition dates. That mismatch could become a major operational burden.

Quantum computing will affect fiscalization most where fiscalization depends on PKI: digital signatures on receipts and invoices, device certificates and POS attestation, secure API authentication to tax authorities, time-stamping and trust services, archived signed evidence and consumer or auditor verification flows built on signed QR payloads. It will also affect, but less directly, sequential numbering, local counters, hash chaining and strong symmetric encryption. It may later improve fraud analytics, reconciliation, risk scoring, audit selection and the optimization of tax-administration data processing, but that part remains promising rather than operational.

If you take anything from this article, let it be this: Fiscal laws themselves will probably not be rewritten. More likely, countries will begin by changing technical regulations, certification criteria, trust-service requirements and signature formats. The first battlefield will not be tax policy. It will be the security architecture underneath tax compliance. That's what you need to keep your eye on.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?