In an increasingly digital age, 82% of consumers pay with some form of digital payment. Now that most people pay with a debit or credit card, scammers have a great opportunity to steal their information.
That’s why the PCI SSC sets specific standards and security for any business that processes payments.
Soon, DMARC will be a part of that standard.
The PCI SSC standard
The Payment Card Industry Security Standards Council (PCI SSC) helps set the PCI Data Security Standard (PCI DSS). The PCI DSS is a set of security standards that’s been standardized by combining the best practices implemented by Mastercard, Discover, American Express, and Visa starting in 2004. It’s designed to help protect credit and debit card transactions from fraud and data theft by ensuring merchants protect cardholders’ information.
This standard was created to focus on payment card environments and data. This standard can also apply to other ecosystems, such as email, if the storage, transmission, or processing of credit card information is involved.
By March 2025, DMARC implementation will be a mandatory requirement of the latest PCI DSS version 4.0, according to the PCI SSC. DMARC is an important anti-spoofing and phishing measure that helps protect companies from email-based attacks, and the PCI SSC currently recommends it as a best practice for businesses.
However, according to Karl Mattson from NoName Security, audits under the new PCI DSS 4.0 guidelines will happen around June 2024.
After the coming deadline, companies that process, store, or transmit any card data will need to implement DMARC along with SPF and DKIM for a comprehensive approach to email authentication. To properly protect employees, customers, and partners from same-domain spoofing attacks, they’ll need to have a DMARC policy of p=reject or p=quarantine at a minimum.
When this new PCI DSS version goes into effect, it won’t only impact the finance industry. It will affect any industry that processes credit or debit card payments.
For example, businesses in these industries will need to implement DMARC:
- Insurance agencies
These companies that will be impacted should know that these audits are taken seriously.
“PCI QSAs are not renowned for their sympathy when they do PCI audits. You can’t win over an argument with a PCI auditor. It’s a very binary framework for looking at controls; there is no room for maneuverability.”Karl Mattson, CISO at NoName Security
What this means for businesses
If your business transmits, stores, or processes any payments with cardholder data, then you will eventually need to meet this standard and accelerate their path to DMARC enforcement, if they haven’t done so already.
“We are encouraged by the focus on email protection in the most recent PCI DSS standards. In studying the world’s largest 800 financial services institutions, we were encouraged to see that 80% have implemented DMARC.
“However, only 43% have reached DMARC enforcement to prevent exact domain spoofing attacks. We believe that this is a meaningful gap in customer protection and will be addressed with this update to the compliance documentation. Overall, this will provide greater peace of mind for consumers when sharing their sensitive financial information.”Kevin Dunne, COO of Valimail
If you’re unsure whether you are on the growing list of companies at DMARC enforcement, check your domain today.
Implement DMARC today
Even if the PCI SCC 4.0 standard doesn’t require DMARC until March 2025, audits will begin in June 2024. Depending on how you choose to implement DMARC, it can take some time to reach enforcement, so it’s best to start today.
The first step in implementing DMARC is getting visibility into the activity happening in your domain and the potential risks at hand. This can be a complicated process to do yourself, but we make it easy with our free Valimail Monitor subscription.
Take the first step towards DMARC enforcement and sign up for a free account on Valimail Monitor to get insights into your sending services.