DSC USB Tokens Moving to FIPS 140-3 from September 2026: What Businesses and DSC Users Must Know

India’s Digital Signature Certificate (DSC) ecosystem is entering a major security transition. As per the latest advisory and security direction issued under the Controller of Certifying Authorities (CCA), the ecosystem is moving from older FIPS 140-2 compliant cryptographic USB tokens to newer FIPS 140-3 compliant secure cryptographic modules.

This change will directly impact DSC users, Certifying Authorities (CAs), resellers, enterprises, GST practitioners, MCA users, eTender participants, and anyone using USB tokens for digital signatures.

What is FIPS 140-3?

FIPS stands for Federal Information Processing Standards — a globally recognized security benchmark for cryptographic hardware and software modules.

FIPS 140-3 is the latest security standard replacing FIPS 140-2. It introduces stronger security validation requirements, enhanced cryptographic controls, and stricter testing mechanisms for secure devices used to store cryptographic keys.

In the Indian PKI ecosystem, DSC private keys are required to be stored in secure cryptographic hardware tokens. CCA guidelines already mandate secure storage of DSC keys in validated crypto tokens.

What Has the CCA Announced?

According to the official advisory ( Advisory_on_Migration_from_FIPS_140-2_to_FIPS_140-3.pdf ) regarding migration from FIPS 140-2 to FIPS 140-3:

• Certifying Authorities must stop issuing DSCs in FIPS 140-2 modules by 21 September 2026.

• After this date, fresh DSC downloads and renewals must move to FIPS 140-3 compliant tokens.

• Existing DSCs already downloaded into FIPS 140-2 tokens before the deadline can continue to work until certificate expiry.

• One-time reissuance may be allowed in exceptional cases for the same subscriber and remaining validity period.

• Token OEMs and distributors are advised to publish exchange or buyback policies for old tokens.

• CAs are advised to publish revised pricing and exchange policies for upgraded tokens.

What Happens to Existing DSC Tokens?

This is one of the biggest concerns among DSC users.

Existing Tokens Will Not Immediately Stop Working

If your DSC is already stored in a FIPS 140-2 token before September 2026, it can continue to be used until the DSC expires.

However, Limitations Will Apply

After 21 September 2026:

• New DSC issuance on old FIPS 140-2 tokens may stop.

• DSC renewals on older tokens may not be allowed.

• Fresh certificate downloads may require FIPS 140-3 compliant devices.

• Organizations may need to migrate users to upgraded hardware.

This means businesses should begin planning migration early instead of waiting until renewal cycles begin failing.

Why This Transition Matters

The move is primarily driven by cybersecurity and compliance improvements.

Key Benefits of FIPS 140-3 Tokens

• Improved cryptographic protection

• Stronger tamper resistance

• Better compliance with evolving global security standards

• Improved protection against hardware attacks

• Enhanced trust for eGovernance and enterprise signing environments

As cyber threats evolve, regulators worldwide are tightening standards for cryptographic hardware security.

Impact on Businesses and Professionals

The transition will affect many sectors using DSCs daily:

• MCA filings

• GST filings

• Income Tax filing

• ICEGATE and DGFT users

• eTendering platforms

• EPFO and PF filings

• Company directors

• Chartered accountants

• Company secretaries

• Government contractors

• Enterprises using bulk signing infrastructure

Organizations using large numbers of DSC tokens should start preparing inventory audits and migration planning now.

Expected Changes in Token Pricing

FIPS 140-3 compliant secure tokens are expected to cost more than older FIPS 140-2 devices due to:

• advanced hardware security requirements

• certification costs

• stricter validation testing

• newer secure element architecture

CCA has also advised CAs and OEMs to publish revised pricing and exchange policies. Users should expect:

• token upgrade programs

• exchange offers

• revised token pricing

• bundled migration plans from DSC providers

What DSC Partners and Resellers Should Do Now

BUY Only Limited Quantity Tokens which can be used in next 1-2 Months. If Any Token left Unused after above deadline & company do not bring any policy, We will not be responsible any Tokens.

Recommended Actions

• Identify customers using old tokens

• Inform customers about the September 2026 transition

• Prepare upgrade campaigns

• Create token exchange programs

• Maintain inventory of FIPS 140-3 compliant tokens

• Educate enterprise clients about migration timelines

Early movers will gain trust and avoid last-minute operational disruptions.

Emerging FIPS 140-3 Token Ecosystem

Manufacturers have already started launching FIPS 140-3 compliant devices for the Indian DSC ecosystem. Some vendors are promoting next-generation secure tokens aligned with updated CCA requirements.

This indicates that the industry transition has already started.

Final Thoughts

The migration from FIPS 140-2 to FIPS 140-3 marks a major modernization step for India’s digital signature infrastructure.

While existing tokens will continue temporarily until certificate expiry, the future of DSC issuance and renewals is clearly moving toward FIPS 140-3 compliant secure hardware.

Businesses, professionals, and DSC partners should begin planning migration strategies now to avoid disruptions after September 2026.

The earlier the transition planning begins, the smoother the migration experience will be.