Anti-phishing mechanisms such as DMARC, SPF, and DKIM to become a requirement for PCI DSS

What is the PCI SSC?

The PCI SSC (Payment Card Industry Security Standards Council) is an organization that was founded in 2006 by major payment card brands, including Visa, Mastercard, American Express, Discover, and JCB International. Its purpose is to develop and manage security standards for the payment card industry.

The PCI SSC is responsible for the development and evolution of a standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a framework of security requirements designed to ensure the protection of cardholder data, maintain a secure payment card environment, and prevent data breaches.

What’s the latest update to the PCI DSS framework?

The PCI SSC has announced that as of March 2025, anti-phishing mechanisms to protect users against phishing attacks will become a requirement during a PCI DSS assessment. They list DMARC, SPF, and DKIM, email security protocols that help to block phishing attacks, as examples of such mechanisms.

Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. […} This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.”

Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0

Who is going to be impacted?

This update will have far-reaching implications as “the PCI DSS applies to all entities that store, process, and/or transmit cardholder data.” It will impact any industry that processes credit or debit card payments, whether that’s Finance, Healthcare, Retail, or Food.

Check your DMARC setup now

To check whether you’re a merchant who already has DMARC in place, use our free Investigate tool to get a quick read of your email security setup

Who does the DMARC mandate apply to?

The requirement to have anti-phishing mechanisms in place depends on 2 things:

1. The number of transactions you process 

There are 4 PCI compliance levels determined by the number of transactions the organization handles each year.

Level 1: Merchants that process over 6 million card transactions annually.

Level 2: Merchants that process 1 to 6 million transactions annually.

Level 3: Merchants that process 20,000 to 1 million transactions annually.

Level 4: Merchants that process fewer than 20,000 transactions annually.

2. The type of business you are

The number of transactions and the type of merchant you are determines which Self Assessment Questionnaire (SAQ) you fill out or, in the case of level 1, whether you have to have an auditor come in.

Requirement 5.4.1 appears in the following SAQs, suggesting that not all types of businesses will have to comply with it:

  • SAQC
  • SAQD Merchant
  • SAQD Service Provider

In summary, the requirement to have anti-phishing mechanisms in place is not solely dependent on the number of transactions you process, but which ‘type’ of merchant you are. For more information, check out this PCI DSS guide on choosing the right SAQ.

How can Red Sift help?

To get ahead of the new anti-phishing requirements that will become mandated by 2025, you will need to have DMARC, SPF, or DKIM in place. It is best practice to implement all three protocols, as without DMARC you cannot guarantee effective protection from phishing attacks. 

DMARC leverages SPF and DKIM to ensure that your business restricts unauthorized use of its domain and protects both in- and outbound business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.

A huge number of big-name brands who comply with PCI DSS have already chosen Red Sift’s award-winning DMARC application, OnDMARC, to help them block email impersonation attacks. Learn more about OnDMARC and how it can help protect your business from attackers, or sign up for a free 14-day demo to try out the application for yourself.

You can find and download v4.0 of the standard, or just the summary of changes here.


Red Sift

24 Jul. 2023



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to Latest update: 27th June 2024 Sansec, a…

Read more