AFD Fleet Cards - Transition from 3DES to AES

In this article we will focus on fleet cards issued by banks and/or follow a payment card association scheme (Visa, MasterCard, etc.) and the necessary transition from 3DES to AES encryption.

We may refer to these fleet cards as “AFD” cards (or AFD-Fleet cards), where AFD stands for Automated Fuel Dispenser. Like traditional bank cards, these cards and the infrastructure behind them need to also consider moving from 3DES to AES if they already use a chip or are directly integrating AES if they are migrating to EMV

Upgrading from 3DES to AES is much more complicated in the card payment environment than in a software scheme (like for the TLS module of browsers, for example).

  • The payment environment is clearly different because much cryptography is involved. 
  • Today, there are very few issuers processing ARQC using AES in the United States. 
  • When migrating to AES, you need to consider larger cryptographic block sizes, and this involves changing the key bundle block, as well. 
  • AES key exchange is now described by the latest version of the ANS X9 TR-31. Key blocks can now be secured by AES instead of triple-DES.

Fleet cards that use payment networks must operate within a PCI environment. Therefore, they must implement key blocks before the deadlines of June 2021 and 2023, as set by the PCI Council [1]. 


Another reason for fleet cards to migrate to AES is related to the latest version of ANS X9.24 part 3 that now allows Derived Unique Key Per Transaction, aka DUKPT, to use AES.

DUKPT is a very popular key derivation scheme used to generate session keys to cipher data between zones. There are several HSMs that support DUKPT AES. Therefore, it is reasonable to believe that triple DES could be abandoned in the near future inside the payment networks 

Reasons Why AES is Better than 3DES

Here are some of the reasons why AES is better than 3DES:

  • 3DES relies on single-DES, which is a broken algorithm. There are several attacks that can break 2-key DES and 3-key DES in contexts where the keys can be isolated as single-DES keys with known corresponding ciphertexts.
  • 3DES is deprecated, AES is the future. NIST, the National Institute of Standards and Technology has withdrawn the approval for the 2-key 3DES algorithm at the end of 2015. Even if 3-key 3DES is still approved by NIST, its security is no better than 2-key 3DES. It is now recommended to phase out 3-key 3DES before  2031.
  • Overall, AES is a better algorithm. AES is faster and is considered more secure. The AES DUKPT can generate two billion keys before rekeying (instead of 1 million for TDE-based DUKPT). Since the AES key space is so much larger (256 bits instead of 112 bits for 2 keys - 3DES), AES keys have a longer crypto period than 3DES keys. This reduces the need for complex and costly key exchange ceremonies.
  • AES should have better resistance to quantum computing attacks. Advances in quantum computing show that AES should resist quantum attacks much better than 3DES.


Fleet cards using payment networks should adopt an AES-based algorithm and make sure they migrate to AES and do not use the deprecated 3DES algorithm. For this migration, it is very important to select the right HSM as not all hardware security modules are able to provide efficient and robust AES algorithms, especially the newest AES DUKPT. 


  • Information Supplement: Cryptographic Key Blocks (2017), by the PTS Working Group PCI Security Standards Council
  • [1] Phase 1 – Implement key blocks for internal connections and key storage within service provider environments. This would include all applications and databases connected to hardware security modules (HSM). Effective date: June 2019.
    Phase 2 – Implement key blocks for external connections to associations and networks. Estimated timeline for this phase is 24 months following Phase 1, or June 2021.
    Phase 3 – Implement key blocks to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Estimated timeline for this phase is 24 months following Phase 2, or June 2023.

Blog post by Martin Rupp and Dr. Ulrich Scholten

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.