Document Purpose
The purpose of this policy is to establish a security posture for the interaction of cardholder data and reduce the burden of the implementation and management of Payment Card Industry (PCI) applicable controls required by the most current version of the Payment Card Industry Data Security Standard (PCI DSS).

Unless otherwise provisioned, documented, or communicated, this document establishes policy as it relates to the storage, processing, or transmission of cardholder data within the New Sunrise Mental Health/CMD system.

​

Please note that any transactions carried out on other online platforms such as PayPal, Venmo, or Zelle are not covered by this policy.

Scope
This document applies to all employees, contractors, and third party entities that store, process,
transmit cardholder data, or otherwise interact with cardholder data which is processed against any
transaction where New Sunrise Mental Health owns or is responsible for the associated merchant ID
(MID).

Statement of Policy
Unless otherwise approved by New Sunrise Mental Health leadership, the following policy must be
implemented and managed.

​

Transaction Processing

1. All payment processing will be facilitated through CMD/Global Payments Integrated, a validated PCI P2PE solution.
approved and listed by the PCI Security Standards Council (SSC). No other forms of transaction
processing will be permitted or approved.
2. New Sunrise Mental Health may not receive or transmit cardholder data electronically outside
of the CMD/Global Payments Integrated.

​

Cardholder Data Storage
1. Storage of electronic/digital cardholder data is allowed only within the CMD system.
2. Storage of sensitive authentication data after authorization is prohibited.
3. Storage of cardholder data in physical (paper) print form is prohibited.

​

Policy Application
The application of this policy:
1. Must have procedures and standards clearly defined and documented to support the policy
requirements.
2. Must establish processes to ensure this policy is in place and functioning.
3. Must ensure that this policy and supporting information is known and understood by all
individuals within its scope.
4. Must include a formal review of this policy at least annually or when there is a significant change
to business.
5. Must include an audit of the application of this policy at least every year.