In this article we will focus on fleet cards issued by banks and/or follow a payment card association scheme (Visa, MasterCard, etc.) and the necessary transition from 3DES to AES encryption.
We may refer to these fleet cards as “AFD” cards (or AFD-Fleet cards), where AFD stands for Automated Fuel Dispenser. Like traditional bank cards, these cards and the infrastructure behind them need to also consider moving from 3DES to AES if they already use a chip or are directly integrating AES if they are migrating to EMV.
Upgrading from 3DES to AES is much more complicated in the card payment environment than in a software scheme (like for the TLS module of browsers, for example).
Fleet cards that use payment networks must operate within a PCI environment. Therefore, they must implement key blocks before the deadlines of June 2021 and 2023, as set by the PCI Council .
Another reason for fleet cards to migrate to AES is related to the latest version of ANS X9.24 part 3 that now allows Derived Unique Key Per Transaction, aka DUKPT, to use AES.
DUKPT is a very popular key derivation scheme used to generate session keys to cipher data between zones. There are several HSMs that support DUKPT AES. Therefore, it is reasonable to believe that triple DES could be abandoned in the near future inside the payment networks
Here are some of the reasons why AES is better than 3DES:
Fleet cards using payment networks should adopt an AES-based algorithm and make sure they migrate to AES and do not use the deprecated 3DES algorithm. For this migration, it is very important to select the right HSM as not all hardware security modules are able to provide efficient and robust AES algorithms, especially the newest AES DUKPT.