Anti-phishing mechanisms such as DMARC, SPF, and DKIM to become a requirement for PCI DSS 4.0

tl;dr The Payment Card Industry Data Security Standard (PCI DSS) has introduced new requirements in its 4.0 update, effective March 2025, that mandate the implementation of anti-phishing mechanisms like DMARC, SPF, and DKIM. These protocols are vital for safeguarding against increasingly sophisticated phishing attacks.

Understanding the PCI SSC and its role in payment security

The Payment Card Industry Security Standards Council (PCI SSC) was established in 2006 by major payment card brands like Visa, Mastercard, American Express, Discover, and JCB International. The council’s primary mission is to develop and manage security standards for the payment card industry.

The PCI SSC is responsible for the development and evolution of a standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a framework of security requirements designed to ensure the protection of cardholder data, maintain a secure payment card environment, and prevent data breaches.

What’s the latest update to the PCI DSS framework?

In the latest version of the PCI DSS framework, version 4.0, the PCI SSC has introduced a significant new requirement that will take effect in March 2025. Businesses will now be required to implement anti-phishing mechanisms, specifically DMARC, SPF, and DKIM, to protect against phishing attacks as part of their PCI DSS assessment. These email security protocols are crucial for ensuring secure communications and safeguarding sensitive cardholder information. For a deeper dive into these protocols and their importance, explore our comprehensive Email Security Guide.

Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. […} This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0

Who will be affected by PCI DSS 4.0 anti-phishing requirements?

This update will significantly impact a wide range of industries since ‘the PCI DSS applies to all entities that store, process, and/or transmit cardholder data.’ From Finance and Healthcare to Retail and Food services, any business that handles credit or debit card payments must implement these anti-phishing measures to stay compliant and protect customer data.

Are you ready for PCI DSS 4.0?

Use our free Investigate tool to quickly assess your current email security posture and get ahead of the 2025 compliance deadline.

Who does the DMARC mandate apply to?

The requirement to have anti-phishing mechanisms in place depends on 2 things:

1. The number of transactions you process 

There are 4 PCI compliance levels determined by the number of transactions the organization handles each year.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

2. The type of business you are

The number of transactions and the type of merchant you are determines which Self Assessment Questionnaire (SAQ) you fill out or, in the case of level 1, whether you have to have an auditor come in.

Requirement 5.4.1 appears in the following SAQs, suggesting that not all types of businesses will have to comply with it:

  • SAQAEP
  • SAQC
  • SAQD Merchant
  • SAQD Service Provider

In summary, the requirement to have anti-phishing mechanisms in place is not solely dependent on the number of transactions you process, but which ‘type’ of merchant you are. For more information, check out this PCI DSS guide on choosing the right SAQ.

How can Red Sift help?

To get ahead of the new anti-phishing requirements that will become mandated by 2025, you will need to have DMARC, SPF, or DKIM in place. It is best practice to implement all three protocols, as without them you cannot guarantee effective protection from phishing attacks. 

DMARC leverages SPF and DKIM to ensure that your business restricts unauthorized use of its domain and protects both in- and outbound business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.

Join the ranks of leading brands that trust Red Sift’s award-winning DMARC application, OnDMARC, to fortify their email security and meet PCI DSS 4.0 requirements. OnDMARC provides comprehensive protection against email impersonation, vendor fraud, and phishing attacks.

Don’t wait – you can sign up for a free demo now, or get started with our 14-day free trial to try out the application for yourself.

You can find and download v4.0 of the PCI DSS standard here.

PUBLISHED BY

Red Sift

24 Jul. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Over 60% of healthcare organizations remain unprotected against data breaches

Sean Costigan

Introduction Red Sift’s analysis of healthcare organizations that reported large breaches to the Department of Health & Human Services (HHS) in 2023-2024 uncovered a troubling trend: post-breach, 61% remain unprotected against phishing and domain spoofing due to weak or nonexistent DMARC policies. DMARC (Domain-based Message Authentication, Reporting & Conformance) is a widely recognized security…

Read more
Awards

Red Sift wins 2025 Cybersecurity Excellence Award for OnDMARC

Jack Lilley

Executive Summary: Red Sift OnDMARC has been recognized with the 2025 Cybersecurity Excellence Award for its advanced email security solutions. By leveraging AI-powered tools like Red Sift Radar for security issues and Dynamic DNS Guardian for real-time monitoring, OnDMARC provides businesses with robust protection against phishing, spoofing, and business email compromise (BEC).  Key takeaways:…

Read more
Product Release

Red Sift’s Winter ‘24/’25 Quarterly Product Release

Francesca Rünger-Field

This quarter, we’re making security faster, smarter, and more proactive with updates that improve threat detection, reduce manual work, and prevent threats before they escalate. Highlights include: Brand Trust  Executive Impersonation: Detect unauthorized use of leadership identities By uploading and managing executive images in Brand Trust, security teams can detect and monitor unauthorized use…

Read more
AI

Enhanced logo detection with AI: A hybrid approach

Phong Nguyen

Executive Summary: Accurate logo detection is essential for protecting brands against misuse and fraudulent activities. Red Sift’s hybrid AI approach enhances detection precision, effectively balancing the reduction of false positives with the identification of genuine threats. This article: Introduction Logo detection is crucial for brand protection, helping identify logo misuse in lookalike domains and fraudulent…

Read more