PCI-DSS takes aim at phishing attacks

Executive Summary: The latest PCI-DSS update underscores the critical need for strong email authentication to combat phishing threats. Red Sift OnDMARC and Red Sift Certificates solutions empower organizations to meet these standards, ensuring the protection of sensitive customer information.​

This article:

  • Highlights the Payment Card Industry Data Security Standard’s (PCI-DSS) proactive measures against phishing.​
  • Emphasizes the necessity for robust email authentication to protect sensitive data.
  • ​Discusses how Red Sift OnDMARC and Red Sift Certificates solutions aid in compliance and security.

Introduction

The Payment Card Industry Data Security Standard (PCI-DSS) is a globally recognized framework for securing cardholder data managed by merchants and service providers. It outlines rigorous security measures to protect payment card information during storage, processing, and transmission, reducing risks of data breaches and unauthorized access. 

In its latest update, the PCI Security Standards Council has shifted toward proactive measures to address phishing attacks, recognizing that traditional defenses are insufficient against evolving threats. Requirement 5.4.1 recommends tools like DMARC, DKIM, and SPF to safeguard employees, while 4.2.1 and 4.2.1.1 focus on verifying and managing certificates that secure PAN during transmission. But why is phishing now a focal point?

Why phishing is a top threat

Phishing remains one of the most effective entry points for cybercriminals, accounting for 58.52% of initial compromises. Employees are often tricked into revealing credentials, downloading malware, or granting unauthorized access, with human error contributing to 68% of breaches, according to the 2024 Verizon Data Breach Investigations Report

Many organizations lack sufficient training and visibility tools to counter evolving phishing tactics, leaving them exposed. Security leaders face a significant threat from bad actors that are crafting deceptive attacks to compromise employees through impersonation.

The role of certificate management

There’s a growing awareness of vulnerabilities related to keys and certificates, particularly in how they are managed and deployed. Issues such as expired certificates, weak encryption algorithms, and the use of self-signed certificates have all been identified as potential weak points that could be exploited by bad actors.

As organizations scale, managing hundreds or thousands of certificates increases the risk of oversight, which can lead to costly breaches or downtime. Frameworks like NIST and ISO stress the importance of robust certificate management and inventory to mitigate these risks and maintain compliance with PCI-DSS.

Building resilience: Red Sift OnDMARC and Certificates

One of the most effective ways to reduce phishing attacks for any organization is by implementing a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy, ideally set to “p=reject.” This configuration provides visibility into who is using your domain and prevents bad actors from impersonating legitimate senders in phishing attacks. For example, Business Email Compromise (BEC) schemes often trick employees into purchasing gift cards or transferring funds, posing as high-level executives:

Red Sift’s OnDMARC helps organizations combat phishing by progressing organizations to a DMARC policy set to “p=reject.” This ensures only authorized services can send emails using your domain, preventing impersonation and attacks like Business Email Compromise (BEC). With features like TLS reporting and one-click MTA-STS deployment, OnDMARC simplifies adoption of advanced security measures and provides continuous monitoring for better email security.

Meanwhile, Red Sift Certificates has you covered for requirements 4.2.1 and 4.2.1.1. Our platform provides centralized control, monitoring, and automated alerts for TLS certificates, ensuring compliance and reducing the risk of breaches, downtime and reputational damage due to expired or misconfigured certificates. By combining OnDMARC and Certificates, organizations gain a comprehensive approach to protecting against phishing and securing their infrastructure, minimizing downtime, and safeguarding sensitive data. Trusted by leading brands and government organizations, let us help you:

  • Simplify compliance with PCI-DSS.
  • Mitigate the risk of phishing and impersonation.
  • Prevent breaches caused by expired or misconfigured certificates.
  • Safeguard sensitive customer and organizational data.

Contact the Red Sift team today to strengthen your defenses and secure your business.

PUBLISHED BY

Billy McDiarmid

22 Jan. 2025

SHARE ARTICLE:

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more