News

PCI SSC mandates DMARC for March 2025 — strengthening payment card security

February 13, 2025 | In SMX Blog |

In 2023, we discussed the PCI Security Standards Council's (PCI SSC) strong recommendation for organisations to implement DMARC. Now, with its mandatory status in PCI DSS version 4.0.1, DMARC takes centre stage as a critical step in PCI SSC’s mission to protect payment card data from evolving threats. The recently released Requirements and Testing Procedures v4.0.1 mandates DMARC implementation by 31 March 2025, underscoring its vital role in safeguarding sensitive payment card data.

Why DMARC is critical for payment card security

Phishing attacks continue to pose a significant threat to organisations handling payment card information. These attacks deceive recipients into revealing sensitive data such as usernames, passwords, and account details by impersonating legitimate sources.

DMARC plays a pivotal role in combating such threats by:

Verifying Email Authenticity: Ensuring emails claiming to come from an organisation’s domain are sent by authorised sources.
Blocking Spoofing Attempts: Preventing attackers from impersonating domains in phishing campaigns.
Enhancing Visibility: Providing detailed reports on email traffic to identify unauthorised senders or compromised accounts.

Implications of mandatory DMARC for businesses

The move to make DMARC mandatory has far-reaching implications for organisations within the payment card industry:

Enhanced security posture — DMARC implementation significantly reduces exposure to phishing attacks, protecting both employees and customers.

Operational adjustments — Organisations must review their email infrastructure and make necessary updates, such as SPF configuration and DKIM records, implementing a full DMARC strategy with tailored policies for emails that fail authentication.

Be audit-ready — We believe DMARC compliance will become a critical focus during PCI DSS audits. Businesses must document and maintain effective DMARC configurations.

Practical guidance for implementation

For organisations transitioning to mandatory DMARC compliance, here are three actionable steps:

1. Audit your current email setup: Review email domains and authentication records (SPF and DKIM) to ensure they support DMARC.

2. Roll out in phases: Start with a monitoring-only policy (p=none) to gather insights and refine your setup. Gradually move to stricter enforcement policies (p=quarantine or p=reject) to block spoofed emails without disrupting legitimate email delivery.

3. Monitor and adapt: Use DMARC reports to identify unauthorised senders and track compliance progress. Leverage these insights to refine your authentication setup and policies.

Addressing potential concerns

While some organisations may worry about the cost and complexity of DMARC implementation, many tools and resources are available to simplify the process. From enterprises to smaller businesses, partnering with third-party email security providers can ease the transition. The long-term benefits far outweigh the initial investment.

Make the shift to DMARC compliance and customer trust

The shift to mandatory DMARC in PCI DSS v4.0.1 is a pivotal step in email security. As 31 March 2025 approaches, organisations must prioritise compliance —not only to meet regulatory requirements but to enhance their overall security posture and customer trust. Although implementation may pose challenges, the benefits, including improved security and reduced risk of data breaches, financial loss or reputation harm, are well worth the effort.

DMARC is more than a compliance checkbox; it is a critical layer of defence in today’s threat landscape. Organisations that act now will not only meet PCI DSS requirements but also build greater customer trust and resilience.

Navigating the complexities of DMARC implementation can be challenging, but you don’t have to do it alone. As experts in email security and DMARC implementation, we provide hands-on guidance to help you set up DMARC properly. From aligning your SPF, DKIM, and DMARC records to ensuring full compliance and seamless operations, we’ll tailor solutions to your organisation’s unique needs.