3.2 PIV card issuance

The card issuance process is as follows:

  1. Request

    A card request is made in MyID to create a job for issuance. A credential profile is selected for use, and optionally an expiry date set.

    The card request is made through the Lifecycle API.

    If you already have an applicant enrolled, you can request a card for that user with the Request Card workflow.

  2. Approve

    The card request is reviewed and either approved or rejected. The credential profile and expiry date is reviewed and if necessary amended.

    To include a validation stage in the process, set the Validate Issuance option on the credential profile.

    Use the MyID Validate Request workflow to approve the card request.

  3. Assign

    The card to be issued is assigned to the user account, card security is configured (Administrator PINs and keys are set) and the card surface is printed.

    Use the MyID Collect Card or Batch Collect Card workflows.

    Note: Do not use the Issue Card workflow. This does not support the PIV card issuance process.

  4. Personalize

    The electronic data within the applet is written, including the FASC-N, CHUID, Printed Information and Biometric data. Certificates are generated and written to the card.

    If you want to personalize the card electronically (including certificate issuance) before the cardholder carries out the activation process, you can choose when this takes place in MyID. This is optional – if you do not personalize the card at this stage, the electronic personalization takes place during card activation.

    Card personalization can take place at the following points in the process:

    • During the Collect Card or Batch Collect Card workflows, at the same time as the Assign step.

    • Using the Batch Encode Card workflow as a separate encoding stage.

    Additional checks are made during this process to ensure that:

    • The PIV card expiry date does not exceed the lifetime of the signing certificate.

    • The biometric data will not expire during the lifetime of the card.

    • Facial biometric data is present for the applicant.

  5. Activate

    Make sure that the credential profile is set up to use activation. Set the Require Activation option to Allow self collection or Assisted activation only.

    The cardholder authenticates to MyID using fingerprint verification – set the Require fingerprints at Issuance option in the credential profile – sets the user PIN, and activates the card. The card is now fully issued and can be used.

    The cardholder can carry out a self-service activation using the Self-Service Kiosk. Alternatively, an operator can guide the cardholder through activation using the MyID Assisted Activation workflow, depending on how you have set the Require Activation option in the credential profile.

    Note: MyID uses the term "activation" to refer to the final handover stage of the PIV card to the cardholder.

You can also combine the personalization and activation stages; however, as it may take some time to generate four 2048-bit key pairs on a card during the personalization stage, if you want to keep the cardholders' time spent interacting with MyID to a minimum, it is recommended that you personalize the cards before the cardholders activate them.

Note: FIPS 201-2 requires more than one person to be involved in issuing a PIV card. MyID will not permit the same person to request and validate, or validate and collect a PIV card. However, MyID allows the same operator to request and collect a card – if you do not have a validation stage, you can use the Edit Roles workflow to assign the request and collect workflows to different roles and ensure that more than one person is involved in issuing a PIV card.

3.2.1 Cardholder authentication

With self-service activation, the cardholder is prompted to provide a fingerprint for authentication before the card can be activated. If the cardholder cannot verify their fingerprints, they will not be able to activate their card without assistance from a MyID operator.

The Assisted Activation workflow can be used to allow fingerprint authentication to be retried – if a fingerprint match still cannot be achieved, the operator can override the need for fingerprint verification.

In situations where the identity of the cardholder needs to be proven before carrying out an operation on their behalf, such as activating a card, the Authenticate Person operation can be used to record how the cardholder was identified. This operation allows details of the identity documents (approved for use for identification in FIPS 201-2) to be recorded and stored as part of the MyID audit records for future reference. Details of the authentication can be viewed in the Audit History tab of the cardholder's user account record in MyID.