Anti-phishing mechanisms such as DMARC, SPF, and DKIM to become a requirement for PCI DSS 4.0

tl;dr The Payment Card Industry Data Security Standard (PCI DSS) has introduced new requirements in its 4.0 update, effective March 2025, that mandate the implementation of anti-phishing mechanisms like DMARC, SPF, and DKIM. These protocols are vital for safeguarding against increasingly sophisticated phishing attacks.

Understanding the PCI SSC and its role in payment security

The Payment Card Industry Security Standards Council (PCI SSC) was established in 2006 by major payment card brands like Visa, Mastercard, American Express, Discover, and JCB International. The council’s primary mission is to develop and manage security standards for the payment card industry.

The PCI SSC is responsible for the development and evolution of a standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a framework of security requirements designed to ensure the protection of cardholder data, maintain a secure payment card environment, and prevent data breaches.

What’s the latest update to the PCI DSS framework?

In the latest version of the PCI DSS framework, version 4.0, the PCI SSC has introduced a significant new requirement that will take effect in March 2025. Businesses will now be required to implement anti-phishing mechanisms, specifically DMARC, SPF, and DKIM, to protect against phishing attacks as part of their PCI DSS assessment. These email security protocols are crucial for ensuring secure communications and safeguarding sensitive cardholder information. For a deeper dive into these protocols and their importance, explore our comprehensive Email Security Guide.

Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. […} This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0

Who will be affected by PCI DSS 4.0 anti-phishing requirements?

This update will significantly impact a wide range of industries since ‘the PCI DSS applies to all entities that store, process, and/or transmit cardholder data.’ From Finance and Healthcare to Retail and Food services, any business that handles credit or debit card payments must implement these anti-phishing measures to stay compliant and protect customer data.

Are you ready for PCI DSS 4.0?

Use our free Investigate tool to quickly assess your current email security posture and get ahead of the 2025 compliance deadline.

Who does the DMARC mandate apply to?

The requirement to have anti-phishing mechanisms in place depends on 2 things:

1. The number of transactions you process 

There are 4 PCI compliance levels determined by the number of transactions the organization handles each year.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

2. The type of business you are

The number of transactions and the type of merchant you are determines which Self Assessment Questionnaire (SAQ) you fill out or, in the case of level 1, whether you have to have an auditor come in.

Requirement 5.4.1 appears in the following SAQs, suggesting that not all types of businesses will have to comply with it:

  • SAQAEP
  • SAQC
  • SAQD Merchant
  • SAQD Service Provider

In summary, the requirement to have anti-phishing mechanisms in place is not solely dependent on the number of transactions you process, but which ‘type’ of merchant you are. For more information, check out this PCI DSS guide on choosing the right SAQ.

How can Red Sift help?

To get ahead of the new anti-phishing requirements that will become mandated by 2025, you will need to have DMARC, SPF, or DKIM in place. It is best practice to implement all three protocols, as without them you cannot guarantee effective protection from phishing attacks. 

DMARC leverages SPF and DKIM to ensure that your business restricts unauthorized use of its domain and protects both in- and outbound business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.

Join the ranks of leading brands that trust Red Sift’s award-winning DMARC application, OnDMARC, to fortify their email security and meet PCI DSS 4.0 requirements. OnDMARC provides comprehensive protection against email impersonation, vendor fraud, and phishing attacks.

Don’t wait – you can sign up for a free demo now, or get started with our 14-day free trial to try out the application for yourself.

You can find and download v4.0 of the PCI DSS standard here.

PUBLISHED BY

Red Sift

24 Jul. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

Post-quantum cryptography for Internet and WebPKI: Where are we now and how…

Bhushan Lokhande

Recent advancements in quantum computing pose a substantial threat to the cryptographic algorithms that secure internet communications, particularly public key cryptography. As quantum computers evolve, they could eventually compromise these cryptographic protections, putting all internet communication at risk.  While cryptographically relevant quantum computers (CRQCs) are not expected imminently, the transition to quantum-safe cryptography is…

Read more
Cybersecurity

Collaborative cybersecurity: The building blocks to a safer internet

Rahul Powar

Ciaran Martin, former CEO of the UK National Cyber Security Centre, and Rahul Powar, CEO of Red Sift The internet’s foundational promise is one of connection, opportunity, and innovation. But as technological innovation grows, so do the risks. The challenge is clear: how do we create a fundamentally safer internet while empowering organisations of…

Read more
Cybersecurity

Securing crypto with Andrei Terentiev

Sean Costigan

In a new episode of Resilience Rising, host Sean Costigan speaks to Andrei Terentiev, Chief Technology Officer (CTO) of Bitcoin.com. The discussion dives into the relationship between cryptocurrency and cybersecurity, with valuable insights into the challenges and strategies for safeguarding digital assets. Navigating the intersection of cryptocurrency and cybersecurity Andrei shares his journey from…

Read more
DMARC

2.3 million organizations embrace DMARC compliance

Jack Lilley

It has been one year since Google and Yahoo implemented stricter requirements for bulk email senders. Eleven months ago, Red Sift shared an update based on data from BIMI Radar, which revealed a concerning global readiness picture. Now, with a full year behind us, it’s time to evaluate the progress organizations have made in…

Read more