5.3 Issuing replacement cards

When you request a replacement card, the type of replacement depends on the reason the card needs to be replaced.

• If the card is lost or destroyed permanently, the system cancels the card, revokes the certificates and requests a permanent replacement card.
• If the card is misplaced or forgotten, the system disables the card, suspends the certificates, and requests a temporary replacement card.

Certificates are treated differently, depending on whether they are archived, and whether the original certificates may have been compromised.

See section 6.5, Certificate reasons for details of what happens to the certificates in the various card replacement scenarios.

For temporary replacement cards, you are strongly recommended to set up a temporary replacement credential profile. See section 5.3.6, Temporary replacement credential profiles for details.

5.3.1 Issuing temporary replacement cards

You can use the Issue Temporary Replacement Card workflow to issue a temporary replacement card to a user; for example, if the user has forgotten their card.

If there is a _temp credential profile for the card being replaced, it is used automatically. If there is no _temp credential profile available, the same profile as the original card is used. See section 5.3.6, Temporary replacement credential profiles for instructions on creating a _temp credential profile.

To issue a temporary replacement card:

1. From the Cards category, select Issue Temporary Replacement Card.
2. Use the Find Person screen to search for the user to whom you want to issue a temporary replacement card.

3. Select the user from the list.

   The list of possible reasons for issuing a temporary replacement card appears.

   

4. Select the reason you are issuing a temporary card, then type the Details.

   See section 6.5, Certificate reasons for details.

5. Click Next.
6. Insert the replacement card.
7. Type the New PIN and confirm it.
8. Click Next.
9. Print the card, if necessary.

5.3.2 Requesting a replacement card

The Request Replacement Card workflow allows you to request a replacement card.

Note: To allow you to select another person, you must have a role that has the Choose Recipient option selected under Request Replacement Card entry in the Edit Roles workflow.

1. From the Cards category, click Request Replacement Card.

   If the Allow self requests configuration option (on the Self-Service page of the Security Settings workflow) is set, you can choose whether the replacement is for yourself, or for another user.

   

   Choose whether the recipient of the new card will be Yourself or Another User, then click Next.

2. To select the cardholder, use the Find Person screen to select the person.

   The cards assigned to the person are listed.

3. Select the card you want to replace.

   If the person has only one card, the workflow progresses to the next stage automatically.

4. Select a reason and provide Details for the card replacement.

   See section 6.5, Certificate reasons for details.

   Note: If the Delayed Cancellation Period configuration option (on the Devices page of the Operation Settings workflow) is set to a value greater than 0, there is an additional reason available: Device Replacement (Delayed Cancellation). If you select this option, the device and its certificates are not canceled immediately, but are canceled after the number of hours specified in the configuration option.

5. To request a replacement card, click Request Card.

   To pre-allocate a specific replacement card, click Assign Card:

   • If the Allow card serial number to be entered during Request Card workflow option is set to Yes, you can enter the serial number.

     You can include ? and * as wildcard characters; any unassigned devices, or devices with unrestricted cancellation, that match the search criteria are displayed; the device serial numbers must already be known to MyID. If more than 10 devices match the search criteria, you must search again with more restrictive criteria.

   • Alternatively, insert the card you want to allocate.

   MyID creates the replacement card request job.

The old card is canceled, and a job for a replacement card is created. The replacement card can be picked up using either the Collect My Card or the Collect Card workflow.

5.3.3 Permanent card replacement example

For a permanent replacement card, MyID issues a new card using the same profile as the old card.

The default behavior is as follows. Assuming that the card had two certificates, one of which was archived, the new card contains the following certificates:

• For the non-archived certificate, a new certificate using the same template.
• For the archived certificate, a new certificate using the same template. All future encryption is carried out using the new certificate.
• For the archived certificate, a number of historic recovered certificates.

The historic certificates allow you to decrypt any data encrypted with the original key.

MyID can determine whether archived or new encryption certificates are issued to a card based on the reason for the replacement; in situations when the card is still present, but is damaged or permanently blocked, MyID can issue archived encryption certificates instead of new certificates – the archived certificates are not revoked or suspended.

The behavior can be customized. Contact customer support for details.

5.3.4 Temporary card replacement example

For a temporary replacement card, MyID issues a new card.

If there is a _temp credential profile for the card being replaced, it is used automatically. If there is no _temp credential profile available, the same profile as the original card is used. See section 5.3.6, Temporary replacement credential profiles for details.

Assuming that the card had two certificates, one of which was archived, the new card contains the following certificates:

• For the non-archived certificate, a new certificate using the same template.

• For the archived certificate, a copy of the archived certificate. As this is the same certificate, you can encrypt and decrypt data as if you were using the original card.

  Note, however, that if the credential profile has set the archived certificate to Issue new, a new certificate is issued instead. If you want a temporary replacement card to be issued a copy of the archived certificate, you must set the option for the archived certificate to Use existing.

• For the archived certificate, a number of historic recovered certificates.

By default, no historic recovered certificates are written to temporary cards. You can change the number of recovered certificates using the options on the credential profile.

5.3.5 Replacing temporary cards

A temporary replacement card should be used only for a short time. Temporary cards can be replaced in the following situations:

• The original card is found.

  Use the Erase Card workflow to cancel the temporary card, selecting the Activate Original reason. The temporary card is canceled, and the original card is re‑enabled.

• The temporary card is forgotten.

  Use the Request Replacement Card workflow to request another card. The temporary card is canceled, and a new temporary replacement of the original card is issued.

• The temporary card is lost or stolen, or the original card is compromised.

  Use the Request Replacement Card workflow to request another card. The temporary card is canceled, the original card is canceled, and a permanent replacement card is issued.

5.3.6 Temporary replacement credential profiles

For temporary replacement cards, you are strongly recommended to set up a temporary replacement credential profile, to consider carefully who can receive the temporary card, to restrict its lifetime, and consider which certificates you want to include on it. If you do not specify a temporary replacement credential profile, the original credential profile is used instead – this may not be appropriate for your security policies.

You can specify an alternative credential profile to be used automatically for temporary replacement cards. Create a credential profile (see the Managing credential profiles section in the Administration Guide) and give it the name <profile>_temp. For example, if your permanent card is issued with the profile Employee, create the alternative profile with the name Employee_temp.

Note: Credential profile names are case-sensitive.

Set up this profile to issue a signing certificate – this does not have to be the same as the signing certificate on the original card. When the card is issued, you can recover any historic encryption certificates to the card. The original signing certificate is suspended.

When the forgotten card is found, the temporary card is canceled. This revokes the temporary signing certificate, unsuspends the original signing certificate, and leaves the encryption certificate active.

_temp credential profiles do not apply to permanent replacement cards.

See section 5.3.1, Issuing temporary replacement cards for details of the Issue Temporary Replacement Card workflow.