PCI Policy
New Sunrise Mental Health

New Sunrise Mental Health PCI Policy

Document Purpose
The purpose of this policy is to establish a security posture for the interaction of cardholder data and reduce the burden of the implementation and management of Payment Card Industry (PCI) applicable controls required by the most current version of the Payment Card Industry Data Security Standard (PCI DSS).


Unless otherwise provisioned, documented, or communicated, this document establishes policy as it relates to the storage, processing, or transmission of cardholder data within the New Sunrise Mental Health/CMD system.

Please note that any transactions carried out on other online platforms, such as PayPal, Venmo, or Zelle, are not covered by this policy.


Scope
This document applies to all employees, contractors, and third-party entities that store, process,
transmit cardholder data, or otherwise interact with cardholder data which is processed against any
transaction where New Sunrise Mental Health owns or is responsible for the associated merchant ID
(MID).


Statement of Policy
Unless otherwise approved by New Sunrise Mental Health leadership, the following policy must be
implemented and managed.

Transaction Processing

  1. All payment processing will be facilitated through CMD/Global Payments Integrated, a validated PCI P2PE solution.
    approved and listed by the PCI Security Standards Council (SSC). There are no other forms of transaction
    processing will be permitted or approved.
  2. New Sunrise Mental Health may not receive or transmit cardholder data electronically outside
    of the CMD/Global Payments Integrated.

Cardholder Data Storage

  1. Storage of electronic/digital cardholder data is allowed only within the CMD system.
  2. Storage of sensitive authentication data after authorization is prohibited.
  3. Storage of cardholder data in physical (paper) print form is prohibited.

Policy Application
The application of this policy:

  1. The policy must have procedures and standards clearly defined and documented to support it.
    requirements.
  2. Must establish processes to ensure this policy is in place and functioning.
  3. Must ensure that this policy and supporting information are known and understood by all
    individuals within its scope.
  4. Must include a formal review of this policy at least annually or when there is a significant change
    to business.
  5. Must include an audit of the application of this policy at least every year.
Back to Home
Share by: