Credit Card Industry Spurs Businesses to Use DMARC Tools

Businesses both large and small face a looming deadline to implement the global domain-based message authentication, reporting, and conformance (DMARC) standard for email security and brand protection — or face significant consequences.

The Payment Card Industry Security Standards Council (PCI SSC) has mandated DMARC use by 2025 for any company handling credit cards and other payments, as well as for financial services providers.[1] DMARC is officially part of the newest PCI Data Security Standard, version 4 (PCI DSS v4.0).

The DMARC requirement is meant to help businesses operate more securely in an economic landscape that has seen data breaches and credit card thefts continue to mount in number and cost, according to recent cybersecurity statistics. It is also expected to accelerate DMARC adoption, since failure to comply with PCI DSS could lead to fines and penalties up to a business losing its right to handle payments. On the other hand, most companies — especially small and medium-sized businesses (SMBs) — are challenged to adopt the email authentication standard because DMARC tools have proven complicated to deploy.

Why PCI Compliance Now Requires DMARC Tools

DMARC, first published in 2015 by the Internet Engineering Task Force (IETF), lets email senders and recipients share information about the legitimacy of emails as well as instructions on handling suspicious mail. For instance, those instructions — called DMARC policies — could be set to automatically reject email coming from domains that fail a DMARC authentication test.

Meanwhile, the PCI SSC has been working to combat credit card theft and fraud since its founding in 2006 by a group of credit card companies. The 800 credit card and payment-processing companies that now make up the PCI SSC mandate PCI compliance in their contracts and include fines and other penalties for noncompliance. [2]

Now, thanks to DMARC’s effectiveness at preventing phishing emails that spoof a brand’s domain from getting through to recipients, the two efforts are converging in PCI DSS v4.0. 

Both phishing and brand spoofing have been on the rise:

• Phishing: Retailers and other companies singled out phishing as the most prevalent type of fraud attack and a growing problem in the Merchant Risk Council’s Global Fraud and Payments Report 2023.[3] In fact, 43% of merchants said they experienced fraud via phishing attacks in 2022, up from 35% in 2021.
• Spoofing: In Mimecast’s State of Email Security 2023 (SOES 2023) report, nearly all companies said they’d seen their web domain cloned in the past year. And 44% said they’d seen a year-over-year increase in the misuse of their brands via spoofed email.

Companies’ costs related to cyber credit card theft are growing. According to IBM’s 2023 Cost of a Data Breach Report, compromised records with personally identifiable information (PII), including those with credit card information, cost businesses $183 per record — more than any other category of asset stolen in data breaches. [4]  Customer PII is also the most breached record type of all, compared to employee PII, intellectual property, and other categories. Customer PII represents 52% of all breaches in the 2023 report, up eight percentage points over the past two years.

Consumers’ concerns are also mounting, according to the Identity Theft Resource Center (ITRC), whose 2023 Consumer Impact Report cited a rise in sophisticated social engineering scams such as phishing for credit card numbers and an increase in related dollar losses. [5]  Nearly one-third (31%) of the victims who reported identity theft to the ITRC in 2022 felt compelled to freeze their credit.

The Marriage of PCI DSS and DMARC Tools

Issued in March 2022, PCI DSS v4.0 cites anti-phishing mechanisms such as DMARC as a recommended best practice. By the end of March 2025, such efforts will be required for PCI compliance.[6]

The updated standard calls for a combination of anti-phishing controls, applied company-wide. The list includes:

• DMARC tools and the related Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), to help stop phishers from spoofing the entity’s domain and impersonating personnel.
• Anti-malware technologies and URL protection, for blocking phishing emails and malware before they reach personnel.
• Employee cybersecurity training for rapid identification and reporting of malicious emails.

Other general PCI DSS provisions applicable to the security of email and email archives include network security controls, encryption, acceptable use policies, testing, and minimum data retention and disposal policies — all within the framework of an overarching information security policy.

Companies Had Been Slow to Deploy DMARC Tools

Merchants are spending about one-tenth of their annual ecommerce revenue to manage payment fraud in general, according to the Global Fraud and Payments Report.[7] So far, DMARC has not figured prominently in companies’ budgets.

Mimecast’s SOES 2023 report confirmed that the rollout of DMARC plateaued in recent years at under 30% market penetration. A Mimecast-sponsored report from Enterprise Strategy Group (ESG) found DMARC falling short of its full potential in another way. Rather than using DMARC tools to set and enforce policies on handling illicit emails (e.g., automatically rejecting them), they’ve been used primarily for monitoring and reporting.

Complexity has hindered the use of DMARC tools. DMARC reporting can be time-consuming, as security teams sift through innumerable reports to validate which domains are valid and which are not, according to the ESG report. 

PCI Compliance to Accelerate DMARC Uptake

The PCI DSS v4.0 standard and PCI compliance obligations are expected to change that. Companies typically self-assess compliance with existing and new requirements, but data breaches draw the scrutiny of PCI compliance officials. According to a recent CSO Online article, fines vary but may be assessed at $5,000 per month, increasing tenfold if compliance isn’t restored within several months. Fines of $50 to $90 per customer affected by a data breach may also be incurred if a business failed to comply with PCI.[8] 

Other recent developments, such as the emergence of zero-trust strategies, are also accelerating DMARC uptake, as is the growing availability of managed DMARC services and self-service platforms. Solutions like these are reducing DMARC complexity with aids such as record-setup wizards and user-friendly reports for analysis and policy enforcement. Solutions such as Mimecast’s DMARC Analyzer can also be integrated across various security tools for even greater ease of use.

By the numbers, more than one-quarter (27%) of SOES 2023 survey respondents say their companies already use DMARC to combat email spoofing, 35% are in the process of rolling it out, and 26% are looking to roll it out in the next 12 months. 

The Bottom Line

Any company that handles payments faces a March 2025 deadline to implement DMARC tools for email security and brand protection under the latest update of the PCI DSS standard. The mandate is expected to reinvigorate DMARC’s rollout as the root problems of email phishing and credit card theft continue to mount. Get ready. Get a free trial of Mimecast’s DMARC Analyzer here.

[1] “Live Discussion on PCI DSS v4.0,” LinkedIn

[2] “Participating Organization Directory,” PCI Security Standards Council

[3] “2023 Global Fraud and Payments Report,” Merchant Risk Council and Visa Cybersource

[4] “Cost of a Data Breach Report 2023,” IBM and Ponemon Institute

[5] “2023 Consumer Impact Report,” Identity Theft Resource Center

[6] “Payment Card Industry Data Security Standard Version 4.0,” PCI Security Standards Council

[7] “2023 Global Fraud and Payments Report,” Merchant Risk Council and Visa Cybersource

[8] “PCI DSS Explained: Requirements, Fines, and Steps to Compliance,” CSO Online