Credit Card Industry Spurs Organizations to Use DMARC Tools
Companies everywhere use the PCI DSS standard for handling credit card data, as required by payment companies. Now, the standard includes DMARC email authentication.
Key Points
- PCI DSS v4.0 will require companies to use DMARC tools to protect credit card data by March 31, 2025.
- The standard is expected to accelerate a lagging DMARC rollout.
- With just five months left in the compliance deadline and an average DMARC rollout time of six to nine months, organizations must work toward implementation as quickly as possible.
Businesses both large and small face a looming deadline to implement the global domain-based message authentication, reporting, and conformance (DMARC) standard for email security and brand protection — or face significant consequences, including pricey fines ranging from $5,000 to $100,000.
The Payment Card Industry Security Standards Council (PCI SSC) has mandated DMARC use by 2025 for any company handling credit cards and other payments, as well as for financial services providers1. DMARC is officially part of the newest PCI Data Security Standard, version 4 (PCI DSS v4.0).
The DMARC requirement is meant to help businesses operate more securely in an economic landscape that has seen data breaches and credit card thefts continue to mount in number and cost, according to recent cybersecurity statistics. It is also expected to accelerate DMARC adoption, since failure to comply with PCI DSS could lead to fines and penalties up to a business losing its right to handle payments. On the other hand, most companies — especially small and medium-sized businesses (SMBs) — are challenged to adopt the email authentication standard because DMARC tools have proven complicated to deploy.
Phishing and Brand Spoofing on the Rise
Both phishing and brand spoofing have been on the rise, resulting in increased costs related to cybercrime:
- Phishing: In 2023, phishing emails totaled 1.76 billion, the highest amount on record. This represents a 51% increase from 20222.
- Spoofing: In Mimecast’s State of Email & Collaboration Security 2024 (SOECS 2024) report, email spoofing, where an imposter tries to make it seem as though an email comes from a trusted source, also continues to spread, with more than one-third (35%) of the SOECS 2024 respondents noting that the number of these attacks grew again in the past year.
Companies’ costs related to cyber credit card theft are growing. According to IBM’s 2024 Cost of a Data Breach Report, compromised records with personally identifiable information (PII), including those with credit card information, cost businesses $173 per record — more than any other category of asset stolen in data breaches3. Customer PII is also the most breached record type of all, compared to employee PII, intellectual property, and other categories. Customer PII represents 46% of all breaches in the 2024 report.
Consumers’ concerns are also mounting, according to the Identity Theft Resource Center (ITRC), whose 2023 Consumer Impact Report cited a rise in sophisticated social engineering scams such as phishing for credit card numbers and an increase in related dollar losses2. Nearly one-third (31%) of the victims who reported identity theft to the ITRC in 2022 felt compelled to freeze their credit.
The Marriage of PCI DSS and DMARC Tools
Issued in March 2022, PCI DSS v4.0 cites anti-phishing mechanisms such as DMARC as a recommended best practice. By the end of March 2025, such efforts will be required for PCI compliance4.
The updated standard calls for a combination of anti-phishing controls, applied company-wide. The list includes:
- DMARC tools and the related Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), to help stop phishers from spoofing the entity’s domain and impersonating personnel.
- Anti-malware technologies and URL protection, for blocking phishing emails and malware before they reach personnel.
- Human Risk-Centric Security Awareness and Training for rapid identification and reporting of malicious emails by users.
Other general PCI DSS provisions applicable to the security of email and email archives include network security controls, encryption, acceptable use policies, testing, and minimum data retention and disposal policies — all within the framework of an overarching information security policy.
Companies Had Been Slow to Deploy DMARC Tools
Merchants are spending about one-tenth of their annual ecommerce revenue to manage payment fraud in general, according to the Global Fraud and Payments Report5. So far, DMARC has not figured prominently in companies’ budgets. At the same time, a typical large enterprise can save $2.4 million annually by enforcing DMARC. These savings stem from an increased return from customer engagement with outbound emails, reduced need for customer support, and a lower cost of cybersecurity insurance premium.
A Mimecast-sponsored report from Enterprise Strategy Group (ESG) found DMARC falling short of its full potential in another way. Rather than using DMARC tools to set and enforce policies on handling illicit emails (e.g., automatically rejecting them), they’ve been used primarily for monitoring and reporting.
Complexity has hindered the use of DMARC tools. DMARC reporting can be time-consuming, as security teams sift through innumerable reports to validate which domains are valid and which are not, according to the ESG report.
Mimecast Can Help with DMARC and PCI DSS Compliance Standards
Mimecast’s DMARC Analyzer solution is designed to simplify and accelerate implementation of DMARC, while also delivering full visibility and control of who is sending emails on an organization’s behalf.
Mimecast’s DMARC Analyzer solution protects brands by providing the tools needed to stop spoofing and misuse of owned domains. Designed to help reduce the time and resources required to become successfully DMARC compliant, Mimecast’s self-service solution provides the reporting and analytics needed to gain full visibility of all email channels. Using DMARC to stop direct domain spoofing protects against brand abuse and scams that tarnish reputation and cause direct losses for an organization as well as its customers and partners.
In addition to the self-service capability within DMARC Analyzer, Mimecast offers Managed Services to proactively guide organizations through each stage of the DMARC deployment and maintenance, ensuring strong benefits from the full range of DMARC capabilities. Many organizations – particularly businesses with fewer IT resources - face challenges implementing DMARC on their own, so Mimecast has developed a comprehensive managed services solution to help those organizations.
The Bottom Line
Any company that handles payments faces a March 2025 deadline to implement DMARC tools for email security and brand protection under the latest update of the PCI DSS standard. The mandate is expected to reinvigorate DMARC’s rollout as the root problems of email phishing and credit card theft continue to mount. Get ready, and use Mimecast’s DMARC record checker tool to validate your DMARC records in seconds.
Originally published August 31, 2023
1 “Live Discussion on PCI DSS v4.0,” LinkedIn
2 “2023 Consumer Impact Report,” Identity Theft Resource Center
3 Cost of a Data Breach Report 2024 (ibm.com)
4 “Payment Card Industry Data Security Standard Version 4.0,” PCI Security Standards Council
5 “Global Fraud and Payments Report,” Merchant Risk Council and Visa Cybersource
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!