Payment Card Industry Recommends DMARC, DKIM, SPF
As technology continues to evolve, so do the methods of cyberattacks, posing significant threats to organizations, particularly those in the financial sector. And with the majority of people making payments with credit or debit cards, the Payment Card Industry Security Standards Council (PCI SSC) realized it’s time to harden the attack surface of the vast digital payment ecosystem.
In progressing its cybersecurity standards, PCI recommends DMARC, SPF and DKIM in section 5.4.1 of PCI Data Security Standard (DSS) v. 4.0.1.
When developing anti-phishing controls, entities are encouraged to consider a combination of approaches. For example, using anti-spoofing controls such as Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) will help stop phishers from spoofing the entity’s domain and impersonating personnel.
—PCI DSS v. 4.0.1
The requirement for anti‑phishing mechanisms transitioned from best practice to fully required on March 31, 2025; DMARC/SPF/DKIM remain strongly recommended example controls. The DSS recommends that “anti-phishing controls are applied across an entity’s entire organization.”
In the following video Tim Draegen, primary author of DMARC and founder/CTO of dmarcian, discusses how DMARC can help your organization meet the PCI DSS requirements.
The PCI standards focus on global payment account data security and develops support services that drive education, awareness and implementation by stakeholders. Their DMARC guidance is significant in safeguarding sensitive payment card data and protecting consumers from potential fraud and identity theft.
Your success depends on leveraging digital resources and keeping them secure. Learn how we can help.
Who is affected?
The DMARC “recommendation” in PCI DSS v. 4.0.1 section 5.4.1, affects any organization that has to follow PCI DSS and uses email to talk to customers, staff, or partners about payment‑related things. In practice, that’s most businesses that handle or touch card payments in any way. By enforcing email authentication standards, PCI aims to mitigate the risk of cybercriminals impersonating legitimate organizations to deceive customers into disclosing sensitive information.
The DMARC recommendation has potential far-reaching implications as the PCI DSS requirements also apply to the cardholder data environment (CDE), including merchants, processors, acquirers, issuers, and other service providers, including the following:
- System components, people, and processes that store, process, and transmit cardholder data and/or sensitive authentication data.
- System components, people, and processes that could impact the security of the CDE.
- System components that may not store, process, or transmit cardholder data (CHD) / Sensitive Authentication Data (SAD) but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD. SAD is “security-related information used to authenticate cardholders and/or authorize payment card transactions. This information includes card validation verification codes/values, full track data (from magnetic stripe or equivalent on a chip), PINs, and PIN blocks.” SAD is vital to protect because criminals can generate counterfeit payment cards and fraudulent transactions. That’s why storing SAD is prohibited after the authorization process.
With ubiquitous online banking and digital payments, the financial services sector has become a top phishing target for cybercriminals.
Benefits of DMARC
Your implementation of DMARC offers several key benefits to organizations operating within the payment card industry:
- Email fraud protection: DMARC provides visibility of how a domain is used and prevents unauthorized senders from sending email on behalf of an organization. With this control, organizations establish robust email authentication protocols, reducing the likelihood of unauthorized access and protecting against email-based threats.
- Email reliability: DMARC is the foundation for reliable email delivery and is employed to resolve email delivery issues.
- Regulatory Compliance: As we’re seeing with the PCI, industries, governments and regulators are increasingly requiring DMARC to be in place. By adhering to these regulations, organizations demonstrate their commitment to data security.
- Reduced Financial Risks: Implementing DMARC helps mitigate financial risks associated with data breaches, including regulatory fines, legal liabilities and reputational damage. By fortifying email security measures, organizations can minimize the potential financial impact of cyberattacks and data breaches.
- Industry-wide Collaboration: The PCI DMARC requirement fosters collaboration and information sharing among organizations within the payment card industry. By collectively strengthening email security measures, industry stakeholders can better combat threats and vulnerabilities.
While deploying DMARC represents a significant step forward in cybersecurity, organizations must also prioritize ongoing monitoring and maintenance of their email security strategies to address evolving threats. Regular assessment of DMARC policies, analysis of email authentication reports, and proactive measures to address vulnerabilities are essential components of an effective email security framework.
How dmarcian Can Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul. You can register for a free trial, where our onboarding and support team will help you along the way.
Want to continue the conversation? Head over to the dmarcian Forum.
