New regulations for a number of industries, including healthcare, retail and hospitality. It's time to implement DMARC.
DMARC to become a requirement in the latest PCI DSS 4.0
In the most recent version of PCI DSS, to which organisations have until March 2025 to adhere, there is a high level of focus on email authentication, including DMARC compliance.
What is the PCI DSS standard?
PCI DSS stands for Payment Card Industry Data Security Standards. It is a global organisation responsible for securing payment processes and data. It is a set of security standards which combines the best practices implemented by Mastercard, Discover, American Express, and Visa. Its purpose is to protect credit and debit card transactions from fraud and data theft. The standards keep up with the latest cybersecurity threats, and the security parameters are regularly updated with new mandatory actions that must be implemented to protect against emerging threats.
Under PCI DSS Requirement 5, automatic process mechanisms will now be required to be implemented to detect and protect against email phishing attacks.
The PCI SSC recommends the implementation of DMARC as best practice for organisations, which can prevent email spoofing, enhancing its protection against phishing attacks.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is an email authentication and anti-spoofing protocol that helps protect an organisation from email scams and phishing attacks.
Attackers can impersonate an organisation or individual they would usually trust and deceive them into passing over personal/ sensitive information or transferring money. DMARC ensures that the emails they receive are genuinely from who they claim to be by checking their identity.
When a suspicious email is trying to land in your inbox, DMARC combines results from SPF and DKIM to authorise the source of the email and confirms that it has not been altered in transit. With a DMARC policy in place, domain owners can set a policy for their domain: 'none,' 'quarantine,' or 'reject.' When a policy is fully configured, it reduces the likelihood of phishing attempts reaching the inbox.
Industries impacted
Industries that are required to comply with PCI DSS standards are those that process, store or transmit card data. The sectors that will be impacted the most are retail, healthcare and hospitality. They are attractive industries for attackers to target due to the high volume of credit/debit card transactions, and they handle a large amount of sensitive information.
What are the benefits of implementing DMARC?
Prevention from Phishing and Spoofing
Phishing and spoofing are significant, evolving issues for organisations, and with human error remaining the most common cause of a data breach, reducing the number of phishing attempts that land in employees' inboxes will reduce the likelihood of an attack. A domain can be monitored through DMARC reports, where organisations can gain valuable insights into the necessary actions to improve their email security and authentication.
Increased Brand Reputation
DMARC can increase brand trust and reputation by preventing attackers from sending fraudulent emails impersonating your organisation. Without this protection, customers could receive inauthentic emails from the organisation's domain, leading to a phishing attack and loss of trust in the brand.
Other future-dated requirements for PCI DSS Compliance?
Other future-dated requirements for PCI DSS Compliance v4.0 include:
Encrypt or protect sensitive authentication data that is stored.
If remote access technology is used to access the cardholder data environment, the copy and relocation of PAN data must be prevented.
The keyed cryptographic hash method must be used.
Organisations must have a web application firewall for any web applications exposed to the internet.
Minimum length of passwords changing for 7 to 12.
MFA is required for all access to the cardholder data environment.