PIV card reissuance

3.3 PIV card reissuance

PIV card reissuance covers the following cases:

The PIV card is to be replaced due to employee status or attribute change.
The PIV card is to be replaced due to the original being compromised, lost, stolen or damaged.
The PIV card is to be replaced due to pending expiry.

An external system can request a replacement card using the Lifecycle API.

If the employee status or attributes have changed, you can use the MyID Core API, Lifecycle API, or the PIV applicant editing screens to make any updates to the MyID record.

An operator can request a replacement card using the user interface:

During the operation a revocation reason must be selected. Each may have different revocation actions, which are described in the user interface.
For card renewals, the request may be denied if the period to expiry is greater than is allowed. The period is defined in the Card Renewal Period configuration flag. On collection of the replacement, the card expiry period will be defined by the credential profile.
The replacement card may require additional approval (using the Approve Request option on the View Request screen) based on the Validate Issuance setting in the credential profile, or the Approve Replacement Cards option on the Process page of the Security Settings workflow.
FIPS 201-3 requires that the user must be re-enrolled where the chain of trust is not maintained, or the original PIV card had expired prior to collecting the replacement. MyID helps enforce this with the Applicants Re-Approve for Card Renewal and Applicants Re-Enroll for Card Replacement configuration options.

As MyID holds the original card issuance record and user account data, a 1:1 fingerprint match may be used to confirm the identity of the cardholder prior to activating the replacement card.

It is not possible to request a replacement for a card that has already expired.

Once the replacement card has been requested, and if needed approved, it may be collected using any of the supported card issuance models described above. For all replacement cards other than renewal, the original card expiry date will be maintained. Certificates will not be allowed to exceed this expiry date when configuration flag (Restrict certificate lifetimes to the card) is set to Yes.