Credit Card Industry Spurs Organizations to Use DMARC Tools
Businesses & public institutions everywhere use the PCI DSS standard for handling credit card data, as required by payment companies. Now, the standard includes DMARC email authentication.
- PCI DSS v4.0 will require organizations, including businesses and public organizations such as higher education institutions, to use DMARC tools to protect credit card data by March 2025.
- The new standard is expected to accelerate a lagging DMARC rollout.
Organizations large and small, including businesses and higher education institutions, face a looming deadline to implement the global domain-based message authentication, reporting, and conformance (DMARC) standard for email security and brand protection — or face significant consequences.
The Payment Card Industry Security Standards Council (PCI SSC) has mandated DMARC use by 2025 for any entity handling credit cards and other payments, as well as for financial services providers and higher education institutions that process credit card payments. DMARC is officially part of the newest PCI Data Security Standard, version 4 (PCI DSS v4.0).
The DMARC requirement is meant to help organizations operate more securely in an economic landscape that has seen data breaches and credit card thefts continue to mount in number and cost, according to recent cybersecurity statistics. It is also expected to accelerate DMARC adoption, since failure to comply with PCI DSS could lead to fines and penalties up to an organization losing its right to handle payments. On the other hand, most organizations — especially small and medium-sized businesses (SMBs) and higher-ed institutions — are challenged to adopt the email authentication standard because DMARC tools have proven complicated to deploy.
Why PCI Compliance Now Requires DMARC Tools
DMARC, first published in 2015 by the Internet Engineering Task Force (IETF), lets email senders and recipients share information about the legitimacy of emails as well as instructions on handling suspicious mail. For instance, those instructions — called DMARC policies — could be set to automatically reject email coming from domains that fail a DMARC authentication test.
Meanwhile, the PCI SSC has been working to combat credit card theft and fraud since its founding in 2006 by a group of credit card companies. The 800 credit card and payment-processing companies that now make up the PCI SSC mandate PCI compliance in their contracts and include fines and other penalties for noncompliance. 
Now, thanks to DMARC’s effectiveness at preventing phishing emails that spoof a brand’s domain from getting through to recipients, the two efforts are converging in PCI DSS v4.0.
Both phishing and brand spoofing have been on the rise:
- Phishing: Retailers and other organizations singled out phishing as the most prevalent type of fraud attack and a growing problem in the Merchant Risk Council’s Global Fraud and Payments Report 2023. In fact, 43% of merchants said they experienced fraud via phishing attacks in 2022, up from 35% in 2021.
- Spoofing: In Mimecast’s State of Email Security 2023 (SOES) report, nearly all organizations said they’d seen their web domain cloned in the past year. And 44% said they’d seen a year-over-year increase in the misuse of their brands via spoofed email.
Companies’ costs related to cyber credit card theft are growing. According to IBM’s 2023 Cost of a Data Breach Report, compromised records with personally identifiable information (PII), including those with credit card information, cost organizations $183 per record — more than any other category of asset stolen in data breaches.  Customer PII is also the most breached record type of all, compared to employee PII, intellectual property, and other categories. Customer PII represents 52% of all breaches in the 2023 report, up eight percentage points over the past two years.
Consumers’ concerns are also mounting, according to the Identity Theft Resource Center (ITRC), whose 2023 Consumer Impact Report cited a rise in sophisticated social engineering scams such as phishing for credit card numbers and an increase in related dollar losses.  Nearly one-third (31%) of the victims who reported identity theft to the ITRC in 2022 felt compelled to freeze their credit.
The Marriage of PCI DSS and DMARC Tools
Issued in March 2022, PCI DSS v4.0 cites anti-phishing mechanisms such as DMARC as a recommended best practice. By the end of March 2025, such efforts will be required for PCI compliance.
The updated standard calls for a combination of anti-phishing controls, applied company-wide. The list includes:
- DMARC tools and the related Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), to help stop phishers from spoofing the entity’s domain and impersonating personnel.
- Anti-malware technologies and URL protection, for blocking phishing emails and malware before they reach personnel.
- Employee cybersecurity training for rapid identification and reporting of malicious emails.
Other general PCI DSS provisions applicable to the security of email and email archives include network security controls, encryption, acceptable use policies, testing, and minimum data retention and disposal policies — all within the framework of an overarching information security policy.
Organizations Had Been Slow to Deploy DMARC Tools
Merchants are spending about one-tenth of their annual ecommerce revenue to manage payment fraud in general, according to the Global Fraud and Payments Report.  So far, DMARC has not figured prominently in companies’ budgets.
Mimecast’s SOES report confirmed that the rollout of DMARC plateaued in recent years at under 30% market penetration. A Mimecast-sponsored report from Enterprise Strategy Group (ESG) found DMARC falling short of its full potential in another way. Rather than using DMARC tools to set and enforce policies on handling illicit emails (e.g., automatically rejecting them), they’ve been used primarily for monitoring and reporting.
Complexity has hindered the use of DMARC tools. DMARC reporting can be time-consuming, as security teams sift through innumerable reports to validate which domains are valid and which are not, according to the ESG report.
PCI Compliance to Accelerate DMARC Uptake
The PCI DSS v4.0 standard and PCI compliance obligations are expected to change that. Companies typically self-assess compliance with existing and new requirements, but data breaches draw the scrutiny of PCI compliance officials. According to a recent CSO Online article, fines vary but may be assessed at $5,000 per month, increasing tenfold if compliance isn’t restored within several months. Fines of $50 to $90 per customer affected by a data breach may also be incurred if a business failed to comply with PCI.
Other recent developments, such as the emergence of zero-trust strategies, are also accelerating DMARC uptake, as is the growing availability of managed DMARC services and self-service platforms. Solutions like these are reducing DMARC complexity with aids such as record-setup wizards and user-friendly reports for analysis and policy enforcement. Solutions such as Mimecast’s DMARC Analyzer can also be integrated across various security tools for even greater ease of use.
By the numbers, more than one-quarter (27%) of SOES 2023 survey respondents say their companies already use DMARC to combat email spoofing, 35% are in the process of rolling it out, and 26% are looking to roll it out in the next 12 months.
Higher Education Is Not Immune
While most higher education institutions have been able to avoid scrutiny when it comes to credit card processing in the past, banks are beginning to treat these schools as the larger enterprises they can operate as. This means that universities and colleges are going to need to comply with the new PCI DSS DMARC regulations, or, just like other enterprises, be subject to the fines, loss of reputation, and other risks that come with non-compliance when data breaches occur.
The Bottom Line
Any organization that handles payments faces a March 2025 deadline to implement DMARC tools for email security and brand protection under the latest update of the PCI DSS standard. The mandate is expected to reinvigorate DMARC’s rollout as the root problems of email phishing and credit card theft continue to mount. Get ready. Get a free trial of Mimecast’s DMARC Analyzer here.
 “Payment Card Industry Data Security Standard Version 4.0,” PCI Security Standards Council
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!