tl;dr The Payment Card Industry Data Security Standard (PCI DSS) has introduced new requirements in its 4.0 update, effective March 2025, that mandate the implementation of anti-phishing mechanisms like DMARC, SPF, and DKIM. These protocols are vital for safeguarding against increasingly sophisticated phishing attacks.
Understanding the PCI SSC and its role in payment security
The Payment Card Industry Security Standards Council (PCI SSC) was established in 2006 by major payment card brands like Visa, Mastercard, American Express, Discover, and JCB International. The council’s primary mission is to develop and manage security standards for the payment card industry.
The PCI SSC is responsible for the development and evolution of a standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a framework of security requirements designed to ensure the protection of cardholder data, maintain a secure payment card environment, and prevent data breaches.
What’s the latest update to the PCI DSS framework?
In the latest version of the PCI DSS framework, version 4.0, the PCI SSC has introduced a significant new requirement that will take effect in March 2025. Businesses will now be required to implement anti-phishing mechanisms, specifically DMARC, SPF, and DKIM, to protect against phishing attacks as part of their PCI DSS assessment. These email security protocols are crucial for ensuring secure communications and safeguarding sensitive cardholder information. For a deeper dive into these protocols and their importance, explore our comprehensive Email Security Guide.
“Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. […} This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”
Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0
Who will be affected by PCI DSS 4.0 anti-phishing requirements?
This update will significantly impact a wide range of industries since ‘the PCI DSS applies to all entities that store, process, and/or transmit cardholder data.’ From Finance and Healthcare to Retail and Food services, any business that handles credit or debit card payments must implement these anti-phishing measures to stay compliant and protect customer data.
Who does the DMARC mandate apply to?
The requirement to have anti-phishing mechanisms in place depends on 2 things:
1. The number of transactions you process
There are 4 PCI compliance levels determined by the number of transactions the organization handles each year.
Level 1: Merchants that process over 6 million card transactions annually.
Level 2: Merchants that process 1 to 6 million transactions annually.
Level 3: Merchants that process 20,000 to 1 million transactions annually.
Level 4: Merchants that process fewer than 20,000 transactions annually.
2. The type of business you are
The number of transactions and the type of merchant you are determines which Self Assessment Questionnaire (SAQ) you fill out or, in the case of level 1, whether you have to have an auditor come in.
Requirement 5.4.1 appears in the following SAQs, suggesting that not all types of businesses will have to comply with it:
- SAQAEP
- SAQC
- SAQD Merchant
- SAQD Service Provider
In summary, the requirement to have anti-phishing mechanisms in place is not solely dependent on the number of transactions you process, but which ‘type’ of merchant you are. For more information, check out this PCI DSS guide on choosing the right SAQ.
How can Red Sift help?
To get ahead of the new anti-phishing requirements that will become mandated by 2025, you will need to have DMARC, SPF, or DKIM in place. It is best practice to implement all three protocols, as without them you cannot guarantee effective protection from phishing attacks.
DMARC leverages SPF and DKIM to ensure that your business restricts unauthorized use of its domain and protects both in- and outbound business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.
Join the ranks of leading brands that trust Red Sift’s award-winning DMARC application, OnDMARC, to fortify their email security and meet PCI DSS 4.0 requirements. OnDMARC provides comprehensive protection against email impersonation, vendor fraud, and phishing attacks.
Don’t wait – you can sign up for a free demo now, or get started with our 14-day free trial to try out the application for yourself.
You can find and download v4.0 of the PCI DSS standard here.
