Credit Card Industry Spurs Organizations to Use DMARC Tools

Businesses both large and small face a looming deadline to implement the global domain-based message authentication, reporting, and conformance (DMARC) standard for email security and brand protection — or face significant consequences, including fines ranging from $5,000 to $100,000, though it is not clear how these fines will be enforced. 

The Payment Card Industry Security Standards Council (PCI SSC) has mandated DMARC use by 2025 for any company handling credit cards and other payments, as well as for financial services providers¹. DMARC is officially part of the newest PCI Data Security Standard, version 4 (PCI DSS v4.0).

The DMARC requirement is meant to help businesses operate more securely in an economic landscape that has seen data breaches and credit card thefts continue to mount in number and cost, according to recent cybersecurity statistics. It is also expected to accelerate DMARC adoption, since failure to comply with PCI DSS could lead to fines and penalties up to a business losing its right to handle payments. On the other hand, most companies — especially small and medium-sized businesses (SMBs) — are challenged to adopt the email authentication standard because DMARC tools have proven complicated to deploy. 

Phishing and Brand Spoofing on the Rise

Both phishing and brand spoofing have been on the rise, resulting in increased costs related to cybercrime:

• Phishing: In 2023, phishing emails totaled 1.76 billion, the highest amount on record. This represents a 51% increase from 2022². 
• Spoofing: In Mimecast’s State of Email & Collaboration Security 2024 (SOECS 2024) report, email spoofing, where an imposter tries to make it seem as though an email comes from a trusted source, also continues to spread, with 35% of SOECS 2024 respondents noting that the number of these attacks grew again in the past year.

Companies’ costs related to cyber credit card theft are growing. According to IBM’s 2024 Cost of a Data Breach Report, compromised records with personally identifiable information (PII), including those with credit card information, cost businesses $173 per record — more than any other category of asset stolen in data breaches³. Customer PII is also the most breached record type of all, compared to employee PII, intellectual property, and other categories. Customer PII represents 46% of all breaches in the 2024 report.

Consumers’ concerns are also mounting, according to the Identity Theft Resource Center (ITRC), whose 2023 Consumer Impact Report cited a rise in sophisticated social engineering scams such as phishing for credit card numbers and an increase in related dollar losses². In fact, 31% of the victims who reported identity theft to the ITRC in 2022 felt compelled to freeze their credit. 

The Marriage of PCI DSS and DMARC Tools

Issued in March 2022, PCI DSS v4.0 cites anti-phishing mechanisms such as DMARC as a recommended best practice. By the end of March 2025, such efforts will be required for PCI compliance⁴.

The updated standard calls for a combination of anti-phishing controls, applied company-wide. The list includes:

• DMARC tools and the related Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), to help stop phishers from spoofing the entity’s domain and impersonating personnel.
• Anti-malware technologies and URL protection, for blocking phishing emails and malware before they reach personnel.
• Human risk-centric security awareness and training for rapid identification and reporting of malicious emails by users.

Other general PCI DSS provisions applicable to the security of email and email archives include network security controls, encryption, acceptable use policies, testing, and minimum data retention and disposal policies — all within the framework of an overarching information security policy.

Companies Had Been Slow to Deploy DMARC Tools

Merchants are spending about one-tenth of their annual ecommerce revenue to manage payment fraud in general, according to the Global Fraud and Payments Report⁵. So far, DMARC has not figured prominently in companies’ budgets. At the same time, a typical large enterprise can save $2.4 million annually by enforcing DMARC. These savings stem from an increased return from customer engagement with outbound emails, reduced need for customer support, and a lower cost of cybersecurity insurance premium. 

A Mimecast-sponsored report from Enterprise Strategy Group (ESG) found DMARC falling short of its full potential in another way. Rather than using DMARC tools to set and enforce policies on handling illicit emails (e.g., automatically rejecting them), they’ve been used primarily for monitoring and reporting.

Complexity has hindered the use of DMARC tools. DMARC reporting can be time-consuming, as security teams sift through innumerable reports to validate which domains are valid and which are not, according to the ESG report. 

Mimecast Can Help with DMARC and PCI DSS Compliance Standards 

Mimecast’s DMARC Analyzer solution is designed to simplify and accelerate implementation of DMARC, while also delivering full visibility and control of who is sending emails on an organization’s behalf.

Mimecast’s DMARC Analyzer solution protects brands by providing the tools needed to stop spoofing and misuse of owned domains. Designed to help reduce the time and resources required to become successfully DMARC compliant, Mimecast’s self-service solution provides the reporting and analytics needed to gain full visibility of all email channels. Using DMARC to stop direct domain spoofing protects against brand abuse and scams that tarnish reputation and cause direct losses for an organization as well as its customers and partners. 

In addition to the self-service capability within DMARC Analyzer, Mimecast offers Managed Services to proactively guide organizations through each stage of the DMARC deployment and maintenance, ensuring strong benefits from the full range of DMARC capabilities. Many organizations — particularly businesses with fewer IT resources — face challenges implementing DMARC on their own, so Mimecast has developed a comprehensive managed services solution to help those organizations.

The Bottom Line

Any company that handles payments faces a March 2025 deadline to implement DMARC tools for email security and brand protection under the latest update of the PCI DSS standard. The mandate is expected to reinvigorate DMARC’s rollout as the root problems of email phishing and credit card theft continue to mount. Get ready, and use Mimecast’s DMARC record checker tool to validate your DMARC records in seconds.

Originally published August 31, 2023

¹ “Live Discussion on PCI DSS v4.0,” LinkedIn

² “2023 Consumer Impact Report,” Identity Theft Resource Center

³ Cost of a Data Breach Report 2024 (ibm.com) 

⁴ “Payment Card Industry Data Security Standard Version 4.0,” PCI Security Standards Council

⁵ “Global Fraud and Payments Report,” Merchant Risk Council and Visa Cybersource