# Release Notes March 2026
source: https://developer.mastercard.com/mdes-customer-service/documentation/release-history/release-notes-march2026/index.md

## Release Change Summary {#release-change-summary}

The MDES March 2026 release will support the following updates.

* Advanced Encryption Standard (AES) Galois/Counter Mode (GCM) cipher mode for enhanced security. It will be supported in addition to the existing Cipher Block Chaining (CBC) mode as part of the wrapped encrypt/decrypt supported for MDES Customer Service APIs.
* Support new transaction types.
* Align max length for the Token Unique Reference (TUR) field across all APIs.

##### Impacted APIs {#impacted-apis}

* Search
* Token Activate
* Token Update
* Disable Payment Channels
* Notify Authentication Decision

## Release Timeline {#release-timeline}

* MTF - ~~18 February 2026~~ 25 March 2026
* Production - ~~25 February 2026~~ 8 April 2026

### Impacted Market {#impacted-market}

* Functionality Available - Global

## Change 1 - Enhanced the EncryptedPayload object {#change-1---enhanced-the-encryptedpayload-object}

Three new fields are added to the encrypted payload object.

* algorithmCipherMode
* tag
* aad

In addition, the existing parameter iv has been updated to support the field size changes required to support GCM encryption.

|                                                                                                                            Field and Description                                                                                                                            | Data Type | Min Length | Max Length |                                           Required                                           |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------------------------------------------------------------------------------------------|
| **algorithmCipherMode** The AES cipher mode used for the encrypted data. Must be one of the following value: CBC - When CBC cipher mode to be used GCM - When GCM cipher mode to be used                                                                                    | String    | 3          | 3          | Conditional -- Required when algorithmCipherMode used is GCM.                                |
| **tag** Tag to verify during data decryption.                                                                                                                                                                                                                               | String    | 1          | 36         | Conditional -- Required when algorithmCipherMode used is GCM, not present otherwise.         |
| **aad** Additional authentication data used in GCM mode. Hex-encoded data (case-insensitive).                                                                                                                                                                               | String    | 1          | 36         | Conditional -- Optional when algorithmCipherMode used is GCM, not present otherwise.         |
| **iv** Initialization vector used when encrypting data using the onetime use AES key. Must be exactly 12 bytes (24 character hex string) when using GCM and 16 bytes (32 character hex string) when using CBC to match the block size. Hex-encoded data (case-insensitive). | String    | 24         | 32         | Conditional - Required when the EncryptedAccountInformation.EncryptedData object is present. |


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/activate`


API Reference: `GET /{id}/token/update`

<br />

## Change 2 - Support additional transaction types {#change-2---support-additional-transaction-types}

Five new values are added to the TransactionTypeCode field in the Transactions API response.

* **ATMWD**: ATM Cash Withdrawal
* **CASHD**: Cash Disbursement
* **ATMDP**: ATM Deposit
* **ATMTR**: ATM Account Transfer
* **PAYMT**: Payment


API Reference: `GET /{id}/transactions`

## Change 3 - Align max length for the TUR field {#change-3---align-max-length-for-the-tur-field}

The maximum length of the TUR field is aligned to 64 characters across the following APIs.

* Search (request)
* Token Activate (response)
* Token Update (response)
* Disable Payment Channels (request)
* Notify Authentication Decision (response)


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/activate`


API Reference: `GET /{id}/token/update`


API Reference: `GET /{id}/token/disablepaymentchannels`


API Reference: `GET /{id}/token/notifyauthenticationdecision`

<br />

## Impact {#impact}

### Change 1 {#change-1}

Customers can choose to support either the GCM or CBC encryption mode to encrypt the payload. Please follow the requirements described in the API specification to implement this functionality.

### Change 2 {#change-2}

Issuers should ensure their integrations can handle these additional values. Refer to the API specification for full details.

### Change 3 {#change-3}

The maximum length of Token Unique Reference (TUR) has been increased to 64 characters in both request and response payloads across all endpoints, aligning with other APIs that already support this length. Issuers should ensure their integrations can accommodate the updated limit.