• email security
  • finance

Anti-phishing mechanisms such as DMARC, SPF, and DKIM to become a requirement for PCI DSS 4.0

tl;dr The Payment Card Industry Data Security Standard (PCI DSS) has introduced new requirements in its 4.0 update, effective March 2025, that mandate the implementation of anti-phishing mechanisms like DMARC, SPF, and DKIM. These protocols are vital for safeguarding against increasingly sophisticated phishing attacks.

Understanding the PCI SSC and its role in payment security

The Payment Card Industry Security Standards Council (PCI SSC) was established in 2006 by major payment card brands like Visa, Mastercard, American Express, Discover, and JCB International. The council’s primary mission is to develop and manage security standards for the payment card industry.

The PCI SSC is responsible for the development and evolution of a standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a framework of security requirements designed to ensure the protection of cardholder data, maintain a secure payment card environment, and prevent data breaches.

What’s the latest update to the PCI DSS framework?

In the latest version of the PCI DSS framework, version 4.0, the PCI SSC has introduced a significant new requirement that will take effect in March 2025. Businesses will now be required to implement anti-phishing mechanisms, specifically DMARC, SPF, and DKIM, to protect against phishing attacks as part of their PCI DSS assessment. These email security protocols are crucial for ensuring secure communications and safeguarding sensitive cardholder information. For a deeper dive into these protocols and their importance, explore our comprehensive Email Security Guide.

Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. […} This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0

Who will be affected by PCI DSS 4.0 anti-phishing requirements?

This update will significantly impact a wide range of industries since ‘the PCI DSS applies to all entities that store, process, and/or transmit cardholder data.’ From Finance and Healthcare to Retail and Food services, any business that handles credit or debit card payments must implement these anti-phishing measures to stay compliant and protect customer data.

Are you ready for PCI DSS 4.0?

Use our free Investigate tool to quickly assess your current email security posture and get ahead of the 2025 compliance deadline.

CHECK YOUR DMARC SETUP NOW

Who does the DMARC mandate apply to?

The requirement to have anti-phishing mechanisms in place depends on 2 things:

1. The number of transactions you process 

There are 4 PCI compliance levels determined by the number of transactions the organization handles each year.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

2. The type of business you are

The number of transactions and the type of merchant you are determines which Self Assessment Questionnaire (SAQ) you fill out or, in the case of level 1, whether you have to have an auditor come in.

Requirement 5.4.1 appears in the following SAQs, suggesting that not all types of businesses will have to comply with it:

  • SAQAEP
  • SAQC
  • SAQD Merchant
  • SAQD Service Provider

In summary, the requirement to have anti-phishing mechanisms in place is not solely dependent on the number of transactions you process, but which ‘type’ of merchant you are. For more information, check out this PCI DSS guide on choosing the right SAQ.

How can Red Sift help?

To get ahead of the new anti-phishing requirements that will become mandated by 2025, you will need to have DMARC, SPF, or DKIM in place. It is best practice to implement all three protocols, as without them you cannot guarantee effective protection from phishing attacks. 

DMARC leverages SPF and DKIM to ensure that your business restricts unauthorized use of its domain and protects both in- and outbound business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.

Join the ranks of leading brands that trust Red Sift’s award-winning DMARC application, OnDMARC, to fortify their email security and meet PCI DSS 4.0 requirements. OnDMARC provides comprehensive protection against email impersonation, vendor fraud, and phishing attacks.

Don’t wait – you can sign up for a free demo now, or get started with our 14-day free trial to try out the application for yourself.

You can find and download v4.0 of the PCI DSS standard here.

PUBLISHED BY

Red Sift

24 Jul. 2023

SHARE ARTICLE:

Categories

DMARC

Related articles

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygieneFirst look at DKIM2: The next generation of DKIMSecuring our world: For a safer internetBoosting email security amid recent Coinbase phishing attemptsRed Sift’s Fall 2024 Quarterly Product Release

Recent Posts

VIEW ALL
DMARC
14 Nov. 2024

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM
5 Nov. 2024

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security
31 Oct. 2024

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more
Cybersecurity
31 Oct. 2024

Boosting email security amid recent Coinbase phishing attempts

Jack Lilley

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with…

Read more
Red Sift Logo

PLATFORM

The Red Sift Pulse Platform

Internet-scale cybersecurity intelligence meets trusted AI.
OnDMARC

Protect against phishing and BEC attacks.
Brand Trust

Stop brand abuse, fraud and lookalike attacks.
ASM

Continuously discover and manage external-facing and cloud assets.
Certificates

Real-time discovery and seamless monitoring for certificates.

INNOVATION

CUSTOMERS

Resources

Company