Anti-phishing mechanisms such as DMARC, SPF, and DKIM to become a requirement for PCI DSS 4.0

tl;dr The Payment Card Industry Data Security Standard (PCI DSS) has introduced new requirements in its 4.0 update, effective March 2025, that mandate the implementation of anti-phishing mechanisms like DMARC, SPF, and DKIM. These protocols are vital for safeguarding against increasingly sophisticated phishing attacks.

Understanding the PCI SSC and its role in payment security

The Payment Card Industry Security Standards Council (PCI SSC) was established in 2006 by major payment card brands like Visa, Mastercard, American Express, Discover, and JCB International. The council’s primary mission is to develop and manage security standards for the payment card industry.

The PCI SSC is responsible for the development and evolution of a standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a framework of security requirements designed to ensure the protection of cardholder data, maintain a secure payment card environment, and prevent data breaches.

What’s the latest update to the PCI DSS framework?

In the latest version of the PCI DSS framework, version 4.0, the PCI SSC has introduced a significant new requirement that will take effect in March 2025. Businesses will now be required to implement anti-phishing mechanisms, specifically DMARC, SPF, and DKIM, to protect against phishing attacks as part of their PCI DSS assessment. These email security protocols are crucial for ensuring secure communications and safeguarding sensitive cardholder information. For a deeper dive into these protocols and their importance, explore our comprehensive Email Security Guide.

Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. […} This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0

Who will be affected by PCI DSS 4.0 anti-phishing requirements?

This update will significantly impact a wide range of industries since ‘the PCI DSS applies to all entities that store, process, and/or transmit cardholder data.’ From Finance and Healthcare to Retail and Food services, any business that handles credit or debit card payments must implement these anti-phishing measures to stay compliant and protect customer data.

Are you ready for PCI DSS 4.0?

Use our free Investigate tool to quickly assess your current email security posture and get ahead of the 2025 compliance deadline.

Who does the DMARC mandate apply to?

The requirement to have anti-phishing mechanisms in place depends on 2 things:

1. The number of transactions you process 

There are 4 PCI compliance levels determined by the number of transactions the organization handles each year.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

2. The type of business you are

The number of transactions and the type of merchant you are determines which Self Assessment Questionnaire (SAQ) you fill out or, in the case of level 1, whether you have to have an auditor come in.

Requirement 5.4.1 appears in the following SAQs, suggesting that not all types of businesses will have to comply with it:

  • SAQAEP
  • SAQC
  • SAQD Merchant
  • SAQD Service Provider

In summary, the requirement to have anti-phishing mechanisms in place is not solely dependent on the number of transactions you process, but which ‘type’ of merchant you are. For more information, check out this PCI DSS guide on choosing the right SAQ.

How can Red Sift help?

To get ahead of the new anti-phishing requirements that will become mandated by 2025, you will need to have DMARC, SPF, or DKIM in place. It is best practice to implement all three protocols, as without them you cannot guarantee effective protection from phishing attacks. 

DMARC leverages SPF and DKIM to ensure that your business restricts unauthorized use of its domain and protects both in- and outbound business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.

Join the ranks of leading brands that trust Red Sift’s award-winning DMARC application, OnDMARC, to fortify their email security and meet PCI DSS 4.0 requirements. OnDMARC provides comprehensive protection against email impersonation, vendor fraud, and phishing attacks.

Don’t wait – you can sign up for a free demo now, or get started with our 14-day free trial to try out the application for yourself.

You can find and download v4.0 of the PCI DSS standard here.

PUBLISHED BY

Red Sift

24 Jul. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more
DMARC

Mail Check is changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more