Payment Card Industry Requires DMARC in 2025

As technology continues to evolve, so do the methods of cyberattacks, posing significant threats to organizations, particularly those in the financial sector. And with the majority of people making payments with credit or debit cards, the Payment Card Industry (PCI) realizes it’s time to harden the attack surface of the vast digital payment ecosystem.

In progressing its cybersecurity standards, PCI will implement a DMARC requirement as seen in version 4.0.1 of its Data Security Standard (DSS). DMARC is a best practice until March 31, 2025 when it becomes required and necessary to fully consider during a PCI DSS assessment. In addition, the DSS recommends that “anti-phishing controls are applied across an entity’s entire organization.”

DMARC, a control designed to authenticate emails and prevent email spoofing, phishing, and other malicious activities, has become a cornerstone of email security strategies worldwide. PCI’s decision to enforce DMARC underscores the critical importance of email security in preventing data breaches and preserving consumer trust.

The PCI Security Standards Council (SSC) focuses its standards on global payment account data security and develops support services that drive education, awareness, and implementation by stakeholders. The DMARC mandate is significant in safeguarding sensitive payment card data and protecting consumers from potential fraud and identity theft.

---

---

Who is affected?

Under the PCI DMARC requirement, all organizations, including merchants, must implement DMARC for their domains to verify the authenticity of the emails sent on behalf of their brands. By enforcing email authentication standards, PCI aims to mitigate the risk of cybercriminals impersonating legitimate organizations to deceive customers into disclosing sensitive information.

The DMARC mandate has potential far-reaching implications as the PCI DSS requirements apply to the cardholder data environment (CDE), including merchants, processors, acquirers, issuers, and other service providers, including the following:

• System components, people, and processes that store, process, and transmit cardholder data and/or sensitive authentication data.
  
  
• System components, people, and processes that could impact the security of the CDE.
  
  
• System components that may not store, process, or transmit cardholder data (CHD) / Sensitive Authentication Data (SAD) but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD. SAD is “security-related information used to authenticate cardholders and/or authorize payment card transactions. This information includes card validation verification codes/values, full track data (from magnetic stripe or equivalent on a chip), PINs, and PIN blocks.” SAD is vital to protect because criminals can generate counterfeit payment cards and fraudulent transactions. That’s why storing SAD is prohibited after the authorization process.

---

---

Benefits of DMARC

Your implementation of DMARC offers several key benefits to organizations operating within the payment card industry:

• Email fraud protection: DMARC provides visibility of how a domain is used and prevents unauthorized senders from sending email on behalf of an organization. With this control, organizations establish robust email authentication protocols, reducing the likelihood of unauthorized access and protecting against email-based threats.
  
  
• Email reliability: DMARC is the foundation for reliable email delivery, and is often the first step taken to resolve email delivery issues.
  
  
• Regulatory Compliance: As we’re seeing with the PCI, industries, governments, and regulators are increasingly requiring DMARC to be in place. By adhering to these regulations, organizations demonstrate their commitment to data security.
  
  
• Reduced Financial Risks: Implementing DMARC can help mitigate financial risks associated with data breaches, including regulatory fines, legal liabilities, and reputational damage. By fortifying email security measures, organizations can minimize the potential financial impact of cyberattacks and data breaches.
  
  
• Industry-wide Collaboration: The PCI DMARC requirement fosters collaboration and information sharing among organizations within the payment card industry. By collectively strengthening email security measures, industry stakeholders can better combat threats and vulnerabilities.

While deploying DMARC represents a significant step forward in cybersecurity, organizations must also prioritize ongoing monitoring and maintenance of their email security strategies to address evolving threats. Regular assessment of DMARC policies, analysis of email authentication reports, and proactive measures to address vulnerabilities are essential components of an effective email security framework.

Deploying DMARC: Sooner is Better

Though the PCI mandate doesn’t land until March 2025, it’s never too early to begin your DMARC project and start protecting your domains to become compliant with the PCI DMARC mandate. Starting sooner also gives you time to progress your DMARC policy from the monitoring mode of p=none the the ultimate enforcement policy of p=reject.

A good place to start is using our domain checker to gain quick insights into your DMARC, SPF and DKIM records. With a DMARC record in place, you’ll have visibility into who is sending email on behalf of your domains. Our DMARC Management Platform visualizes the DMARC data so you can quickly identify authentication gaps and unauthorized use of your domains.

How dmarcian Can Help

With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul. You can register for a free trial, where our onboarding and support team will help you along the way.

---

Want to continue the conversation? Head over to the dmarcian Forum.