Migration Cards

MIFARE Plus SE Cards

AES-128 Classic Upgrade Path

MIFARE Plus SE contactless smart card used for phased AES-128 security migration from MIFARE Classic 1K

Quick answer

The entry-tier AES smart-card chip is NXP's drop-in AES-128 security upgrade for MIFARE Classic 1K installations. It runs in MIFARE Classic emulation on existing readers (Security Level 1), then switches to AES-128 mutual authentication (Security Level 3) once readers are firmware-upgraded — enabling a phased, low-disruption migration from cryptographically broken CRYPTO-1 credentials without replacing the entire reader infrastructure in one capital cycle.

  • Drop-in MIFARE Classic replacement — Plus SE cards in Security Level 1 operate on every MIFARE Classic reader with no firmware change, so issuance can begin today on the current reader estate.
  • AES-128 mutual authentication at Security Level 3 — once compatible readers are firmware-updated, the same card switches to AES-128, eliminating CRYPTO-1 exposure without re-issuing credentials.
  • Backward-compatible memory layout — 1 KB, 16 sectors, the same Application Directory and access conditions as Classic 1K, so access control and card-issuance systems need no data-model change.
Request samples
10+ Years ISO 9001 500+ Clients 50+ Countries

At a glance

Use these short answers to decide whether this page matches the project before moving into the detail.

Air-interface + CR80 envelope

ISO/IEC 14443-2/-3/-4 Type A at 13.56 MHz with T=CL block transfer — identical PHY to MIFARE Classic 1K so SL1 enrols on every Classic reader. ISO/IEC 7810 ID-1 CR80 (85...

Classic-compatible memory layout

Same 16-sector / 4-block layout, same Application Directory (MAD v1/v2) and same access-condition bits as Classic 1K. Access-control and card-issuance software schemas d...

AES-128 mutual auth + CMAC (NIST FIPS 197 + SP 800-38B)
  • Security Level 3 runs AES-128 reader-card mutual authentication per NIST FIPS 197 with CMAC integrity per NIST SP 800-38B.
  • Cloning at SL3 requires extracting a diversified per-card key — no publicly known attack path.
  • Command stream is AES-encrypted end-to-end; UID-replay and session-fixation attacks fail at the CMAC step.
Security Level ladder (SL0 → SL1 → SL3)
  • SL0 factory personalisation → SL1 Classic-compatible CRYPTO-1 → SL3 AES-128 endpoint — one-way, no downgrade path.
  • Level switch is issued as a CommitReaderID / LevelSwitch command over the air (tap) or during natural re-issuance.
  • One-way ladder is intentional — prevents attacker from coercing the card back into CRYPTO-1 mode.
Key diversification (NXP AN10922)
  • Per-card AES-128 diversified keys derived from UID + sector identifier per NXP AN10922 reference scheme.
  • Master key stays in an HSM or SAM — never appears in reader-side firmware or issuance-station memory.
  • Compromising one card does not compromise the fleet — the single most cited procurement requirement on a migration RFP.
Phased migration workflow
  • Phase 0 baseline audit → Phase 1 issue Plus SE at SL1 → Phase 2 reader firmware upgrade → Phase 3 SL3 level-switch → Phase 4 retire Classic.
  • Every phase can begin without waiting for the previous phase to complete across the entire estate.
  • Defers 70–85% of reader capex across a 3–5-year budget window vs a single-cycle DESFire rip-and-replace.
Reader-firmware compatibility
  • HID iCLASS SE, HID Signo, multiCLASS SE, SALTO XS4, ASSA ABLOY Aperio, dormakaba exos and SafeRoute all support Plus SE SL3 on current firmware.
  • Legacy HID Prox (125 kHz) and pre-SE first-generation iCLASS do not support Plus SE — estates on those platforms are reader-replacement candidates.
  • Integrator pilots 50–100 cards across a representative reader sample before committing to the full roll-out.
Enterprise access-control deployment
  • Large-enterprise Classic 1K estates are the canonical Plus SE use case — the reader capex debt is exactly what Plus SE is designed to defer.
  • Multi-year campus, government and corporate badge programmes commonly run 10–100 k-card Plus SE issuance per phase.
  • Access + canteen + printing sector-keys unchanged from Classic — zero downstream integration work at Phase 1.
Hospitality keycard deployment
  • Compatible with Saflok, VingCard, SALTO and Onity hotel lock ecosystems that run Plus SE SL3 firmware.
  • Combi cards co-laminate Plus SE inlay with HiCo 2750 Oe / LoCo 300 Oe magstripe per ISO/IEC 7811-2 for legacy-door coexistence.
  • Classic-era Saflok / VingCard estates migrate building-by-building as lock firmware is updated.
Healthcare + education campus
  • Hospital staff-ID migration — replaces Classic 1K badge stock while maintaining access on legacy reader hardware during roll-out.
  • University campus card programmes — meal plan + library + printing sector-keys inherit from Classic on day one, upgrade to AES-128 when readers permit.
  • No access gaps for users during the multi-year transition — Classic and Plus SE SL1 coexist on every reader.
Audit + compliance closure (CRYPTO-1 mitigation)
  • CRYPTO-1 publicly broken by Garcia et al. (CRYPTO 2008) — cloneable today with $30 Flipper Zero in under 60 s.
  • Plus SE issuance at SL1 immediately closes the 'CRYPTO-1 credential in circulation' audit finding on the card side (SL3 closes it end-to-end).
  • Plus SE is Common Criteria EAL4+ certified per NXP's security target — acceptable for SOX, PCI DSS, HIPAA and SOC 2 compliance reviews.
Regulatory + card-body posture
  • RoHS 3 + REACH Annex XVII compliant PVC substrates; ISO/IEC 27001 controlled pre-encoding bureau process.
  • Batch chip certificates + ISO/IEC 14443 conformance test reports + UID lists + sector-key configuration templates ship with every production lot.
  • CR80 4-colour offset print + overlay lamination runs on the same ProudTek line as Classic — no bureau re-tooling required.

What is MIFARE Plus SE, and why does it exist?

MIFARE Plus SE (the Standard Edition entry-point in the Plus family) is a 13.56 MHz ISO/IEC 14443-3 Type A card that mirrors MIFARE Classic 1K's 1 KB / 16-sector memory layout but adds AES-128 mutual authentication. Its job is singular: give organisations with large MIFARE Classic reader estates a migration path to AES-128 that does not require replacing every reader in a single capital cycle.

  • AES-128Mutual auth at Security Level 3
  • 1 KBEEPROM (Classic-compatible layout)
  • SL1 → SL3In-field upgrade per card
  • Classic-compatNo reader replacement required

Plus SE cards ship pre-configured at one of three security levels. Security Level 1 runs the CRYPTO-1 protocol for wire-compatibility with Classic readers, Security Level 2 combines CRYPTO-1 authentication with AES-encrypted data, and Security Level 3 runs AES-128 mutual authentication on every command. An organisation issues Plus SE cards today in Security Level 1, readers continue to treat them as Classic, and a single command (CommitReaderID / ReadSignature / LevelSwitch) moves the card to Security Level 3 once the reader firmware supports it.

The alternative is a full reader estate replacement to MIFARE DESFire EV3. That buys a stronger security envelope (EAL5+, file-system architecture, up to 28 applications) but forces the entire reader capital spend into a single year. Plus SE is the right answer when the reader estate is large, the procurement cycle for readers is multi-year, and the audit finding on CRYPTO-1 needs to be closed without waiting for reader capital.

Security Level 1 vs Security Level 3 — the phased model

Plus SE's value comes from the Security Level ladder. Use this matrix to understand what each level offers and what the reader estate needs to support it.

Security Level Authentication Memory access Reader support needed Typical use
Security Level 0 (personalisation) Factory default (transport key)WriteableAny MIFARE readerIn-factory personalisation only
Security Level 1 (Classic-compatible) CRYPTO-1Classic-compatible sectorsAny MIFARE Classic readerPhase 1 — issue on current reader estate
Security Level 2 (mixed) CRYPTO-1 auth, AES-encrypted dataAES key managementFirmware-upgraded readerRarely deployed; transitional bridge
Security Level 3 (AES-128 endpoint) AES-128 mutual auth (CMAC)AES-encrypted memoryAES-capable reader firmwarePhase 3 — endpoint after reader rollout

Migration economics — Plus SE phased vs DESFire rip-and-replace

The single most cited reason procurement approves Plus SE over a direct DESFire migration is capex phasing. The difference is measurable against a 5,000-reader estate budget.

How the phased Classic → Plus SE → AES-128 rollout runs

A typical multi-year migration for an organisation with hundreds to thousands of MIFARE Classic readers. Every phase can begin without waiting for the previous phase to finish on the entire estate.

  1. Phase 0 · Baseline audit

    Inventory the reader estate by model and firmware version; confirm Plus SE Security Level 3 support on the existing firmware or obtain the firmware roadmap from HID / SALTO / dormakaba / ASSA ABLOY.

  2. Phase 1 · Issue Plus SE in SL1

    Replace Classic 1K issuance with Plus SE cards configured at Security Level 1. Cards arrive Classic-compatible; existing readers need no change. Legacy Classic cards continue to work in parallel.

  3. Phase 2 · Reader firmware upgrade

    Roll out reader firmware that understands Plus SE Security Level 3, building by building or zone by zone. Plus SE cards in the field continue at SL1 until explicitly switched.

  4. Phase 3 · Switch cards to SL3

    Issue the CommitReaderID / LevelSwitch command over the air (tap an upgraded reader) or in-factory on the next re-issuance cycle. Cards now communicate with AES-128.

  5. Phase 4 · Retire Classic + integrator handoff

    Once the reader estate is upgraded and the Plus SE fleet is at SL3, retire or re-issue remaining Classic cards. The reader estate is now AES-128 end-to-end. From buyer conversations across large-enterprise-Classic-migration, multi-year-campus-rollout, hospitality-keycard-upgrade, healthcare-staff-ID and phased-access-control MIFARE-Plus-SE programmes.

Rip-and-replace vs Plus SE phased — don't / do

The two migration models and why Plus SE is usually the right answer for a large Classic estate.

Don't — full rip-and-replace

  • Replace every reader in one capital cycle to jump from Classic to DESFire — reader spend dominates the migration budget.
  • Run Classic and DESFire on separate parallel estates while the migration finishes — dual-credential issuance and two help-desk support tracks.
  • Retire Classic overnight — any user whose reader hasn't been cut over loses access.
  • Argue for multi-year reader capital in a single budget line — often blocked at finance review.

Do — Plus SE phased migration

  • Issue Plus SE cards on current readers from week one — close the CRYPTO-1 audit finding on the card side first.
  • Upgrade reader firmware in controlled waves (per building, per zone) as budget allows — no parallel estates.
  • Retire Classic cards on the next natural re-issuance cycle — no access gaps for users.
  • Spread reader capital across multiple budget years — finance review approves each tranche on its own merit.

Six reasons Plus SE beats DESFire for legacy Classic estates

Why Plus SE is the default choice for organisations with a sunk reader investment — and where it still loses to DESFire EV3 (see the last section).

Zero reader downtime

Plus SE at SL1 enrols on existing Classic readers without firmware change — no access interruption during migration.

Phased capital spend

Reader firmware upgrades roll out over multiple budget years instead of concentrating in one capex cycle.

AES-128 endpoint

Security Level 3 uses the same AES-128 mutual authentication as DESFire — equivalent card-side cryptography.

Classic data model

Same 16-sector / MAD layout as Classic — access control and card-issuance software continue without schema change.

Audit closure day one

Replacing CRYPTO-1 card issuance with Plus SE addresses the audit finding even before readers are upgraded.

Same card-body economics

CR80 PVC, 4-colour offset print, overlay lamination — every Classic production line at Proud Tek runs Plus SE too.

Reader-firmware compatibility — who supports Plus SE SL3 today?

Plus SE Security Level 3 is a firmware capability on the reader side. Most major reader vendors have supported it for many years; the checks below are the ones that matter on a specification.

Hospital staff badge reader during a phased Plus SE migration — Security Level 1 cards coexist with Security Level 3 cards on the same reader estate
  • HID Global — iCLASS SE, Signo and multiCLASS SE reader families support Plus SE Security Level 3 with current firmware; contact HID with the reader part number for firmware-version confirmation.
  • SALTO Systems — XS4 offline and online reader families support Plus SE SL3; check the SALTO ProAccess configuration for the AES profile.
  • ASSA ABLOY Aperio — Aperio online hub and wireless lock firmware support Plus SE SL3 on current releases.
  • dormakaba — readers supplied with the exos and SafeRoute platforms support Plus SE SL3 with current firmware; confirm with dormakaba the exact firmware baseline for the installed estate.
  • Legacy HID Prox (125 kHz) and first-generation HID iCLASS (pre-SE) — do not support Plus SE; these estates are candidates for reader replacement rather than Plus SE migration.
  • Integrator guidance: before committing to a Plus SE roll-out, run a pilot batch of 50–100 cards across a representative reader sample and measure ATS/ATQA, enrolment time and firmware behaviour at both SL1 and SL3 — see the hotel key card encoding guide for the pilot methodology.

When Plus SE fits, and when to jump straight to DESFire EV3

Plus SE is the right answer when the reader estate is large and Classic-compatible. When it is not, DESFire EV3 is usually the better destination.

  • Pick Plus SE when the organisation has hundreds or thousands of Classic readers, the reader firmware has a Plus SE SL3 path and procurement needs phased capital.
  • Pick MIFARE DESFire EV3 for new deployments with no Classic reader debt — DESFire adds multi-application file-system architecture and EAL5+ certification beyond Plus SE's feature set.
  • Pick DESFire EV3 for applications that need more than 16 sectors, SUN / SDM NFC tap-to-verify URLs, or consolidated multi-application campus / transit credentials.
  • See MIFARE Plus EV2 vs DESFire EV3 for the side-by-side comparison of the two destinations.
  • Review Classic vs Plus vs DESFire for hotel locks for the hotel-specific lock-vendor compatibility picture.

Useful next pages

Use these linked product, guide and comparison pages to keep the next click specific and practical.

Related card SKUs

The MIFARE family options Plus SE migrates from and toward.

MIFARE Classic 1K cards MIFARE DESFire EV3 cards MIFARE Ultralight C cards

Migration references

Deep-dive comparisons that typically accompany a Plus SE specification review.

MIFARE Plus EV2 vs DESFire EV3 Classic vs Plus vs DESFire for hotel locks What is MIFARE — the complete guide

Integration and encoding

Compatibility and encoding references for access control and hotel deployments.

Hotel key card encoding Saflok compatibility SALTO compatibility

FAQ

What is the difference between MIFARE Plus SE and MIFARE DESFire EV3?

Plus SE is a drop-in Classic replacement. It keeps Classic's 16-sector memory layout and can operate on existing Classic readers in Security Level 1, then switches to AES-128 at Security Level 3 once readers are firmware-upgraded. DESFire EV3 is a new architecture. An AES-128 file system with up to 28 firewalled applications, ISO/IEC 7816-4 APDU commands and Common Criteria EAL5+ certification. Choose Plus SE when you have a large installed Classic reader base and need phased migration. Choose DESFire EV3 for new installations or when you need multi-application architecture and EAL5+ assurance.

Do our existing Classic readers need hardware changes for Plus SE?

For Plus SE in Security Level 1 (Classic-compatible mode), no reader change is needed — Plus SE cards are recognised as Classic cards. To enable Plus SE Security Level 3 (AES-128), your readers need a firmware update that understands the Plus SE AES command set. Most readers manufactured after 2012 from HID, SALTO, dormakaba and ASSA ABLOY support this firmware upgrade; confirm with the reader vendor against your exact reader part number and firmware version.

Can we mix Classic 1K and Plus SE cards on the same reader estate during migration?

Yes — that is the point of the Plus SE phased model. During migration, Classic 1K cards continue to work on all readers, Plus SE cards in Security Level 1 also work on all readers, and once individual readers are firmware-upgraded they accept Plus SE at Security Level 3. No user experiences an access gap and no dual-credential parallel estate is needed.

What is the difference between Plus SE, Plus S and Plus X?

All three are in the MIFARE Plus family and support the Security Level ladder. Plus SE is the entry-point Standard Edition, with the Classic-compatible 1 KB layout and the four-level security model. Plus S adds a proximity check (distance-bounding protocol) to defend against relay attacks. Plus X adds SL2 command multiplexing and can run DES / 3DES / AES on a mixed reader estate. For most Classic migrations, Plus SE is the right answer; specify Plus S when relay attacks are in the threat model and Plus X only for specific legacy reader mixes.

Once a card is switched to Security Level 3, can it be reverted to Security Level 1?

No. The Security Level transition is one-way (SL0 → SL1 → SL3). Once a Plus SE card is committed to Security Level 3, it cannot be downgraded. This is intentional — it prevents an attacker from coercing the card back into CRYPTO-1 mode. Plan the level switch for the reader-upgrade cycle, not earlier.

What is the MOQ and lead time for MIFARE Plus SE cards?

Blank white Plus SE cards: 200-piece minimum, lead time 5–7 business days from stock. Custom 4-colour printed Plus SE cards with overlay lamination and sector-key encoding: 500-piece minimum, 12–15 business days from artwork approval. Every order ships with migration planning documentation and sector-key configuration templates so the issuing team can line up the encoding workflow with the reader-upgrade plan.

Does Plus SE support NFC tap-to-URL on a smartphone?

No — Plus SE's memory layout is Classic-style sectors, not NDEF. iPhones and Android phones will read the UID but not the sector content without specific SDK code. For smartphone tap-to-URL workflows (marketing, authentication, DPP) pair Plus SE with an NTAG 424 DNA or DESFire EV3 SKU — both are NFC Forum Type 4 tags and open URLs natively. (For low-cost tap-to-URL without authentication, NTAG 213 / 215 / 216 are NFC Forum Type 2 tags that also work.)

Sources & references

Primary standards, OEM datasheets and regulatory documents cited by this article. All URLs were verified on the access date shown below.

  1. NXP MIFARE Plus SE product pageNXP Semiconductors · May 1, 2019 · accessed Apr 24, 2026

    Official product brief covering Security Level model and migration guidance.

  2. NXP MIFARE family overviewNXP Semiconductors · Mar 1, 2022 · accessed Apr 24, 2026

    Family positioning of Plus SE / S / X relative to Classic and DESFire.

  3. NXP AN10922 — Symmetric-key diversifications for MIFARE Plus, DESFire and UCODENXP Semiconductors · Mar 1, 2021 · accessed Apr 24, 2026

    Reference AES-128 key-diversification scheme used for Plus SE issuance.

  4. ISO/IEC 14443-3:2018 — Proximity cards, Type AISO · Apr 1, 2018 · accessed Apr 24, 2026

    Type A air-interface standard under which Plus SE SL1 is Classic-compatible.

  5. NIST FIPS 197 — Advanced Encryption Standard (AES)NIST · Nov 26, 2001 · accessed Apr 24, 2026

    AES-128 specification implemented at Plus SE Security Level 3.

  6. NIST SP 800-38B — The CMAC Mode for AuthenticationNIST · accessed Apr 24, 2026

    CMAC integrity mode used by Plus SE SL3 AES-128 command stream.

  7. Garcia et al. — Dismantling MIFARE Classic (CRYPTO 2008)Radboud University / IACR CRYPTO 2008 · Aug 15, 2008 · accessed Apr 24, 2026

    Academic CRYPTO-1 break establishing the migration imperative that Plus SE addresses.

  8. Common Criteria Portal — MIFARE Plus SE certified product listingCommon Criteria · Jan 1, 2024 · accessed Apr 24, 2026

    EAL4+ certification for the MIFARE Plus SE / EV1 product family indexed under NXP.

  9. ISO/IEC 7810:2019 — Identification cards, physical characteristics (ID-1 CR80)ISO · Dec 1, 2019 · accessed Apr 24, 2026

    Physical dimensions standard (85.60 × 53.98 × 0.76 mm) for CR80 card bodies.

  10. ISO/IEC 10373-6:2020 — ID card test methods, proximity cardsISO · Dec 1, 2020 · accessed Apr 24, 2026

    Durability + electrical test methods applied to Plus SE card body at the issuance bureau.

10+ Years RFID Manufacturing
ISO 9001 Certified Factory
500+ Enterprise Clients
50+ Countries Served

Proud Tek is a Shenzhen-based RFID & NFC manufacturer supplying hotel chains, transit operators, event venues and retail brands worldwide. Every order includes free samples, RF testing and dedicated project support.

Get a Quick Quote

Tell us about your project and we'll respond within one business day. Fields marked (asterisk) are required.

We'll only use this to reply to your inquiry.
Optional, but helps us route your inquiry faster.
e.g. 5,000 pcs
e.g. hotel, event, asset tracking
Chip preference, timeline, special requirements...

Next step

Ready to discuss your project?

Use the contact route when you are ready for pricing, samples, or compatibility help, or continue into the linked product and comparison pages below.

Request Plus SE samples & migration plan ✉ Email inquiry directly MIFARE Classic 1K cardsDESFire EV3 cardsPlus EV2 vs DESFire EV3