Payment Card Industry (PCI) Security Standard Council Strongly Recommends Implementing DMARC

| In SMX Blog |
07 2023 SMX Blog Banner PCI

DMARC has long been recognised by data security experts globally as one of the most important things organisations can – and should – do to protect themselves and their customers, stakeholders and supply chains from phishing and impersonation.

Following this expert advice, the Payment Card Industry Security Standards Council (PCI SSC) has made it clear in its latest standard that DMARC is strongly recommended to meet requirement 5.4.1, which demands that, “processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.”

The PCI council further states that “using anti-spoofing controls such as Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) will help stop phishers from spoofing the entity’s domain and impersonating personnel.”

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

The PCI Data Security Standard (PCI DSS), including the strong recommendation to implement DMARC, applies to all organisations that receive or store payment card info, including banks and payment clearing houses.

DMARC explained

DMARC has been around since 2015. It could be a game changer in cybersecurity if only organisations would use it.  

It validates every email using Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF). DKIM signatures confirm that an email’s content lines up with the sending source – it may say it’s from a well-known brand, but is it coming from one of their domains? SPF strengthens these checks by letting a domain owner – the brand, in this case – say which IP addresses can send from your domain. Sender Policy Framework (SPF) hardens your email security and restricts who can send emails from your domain. 

DMARC pulls these two protocols together under a policy tailor-made for an organisation. This instructs any incoming server on what to do with suspicious emails – quarantine or block. Domain owners will also get reports, so they can improve processes and take action fast if they spot domain spoofing.  

In 2016, DMARC became mandated for UK government agencies. In 2017, the US followed suit. We expect DMARC will become mandatory for Australasian organisations soon, with the NZISM currently stating government agencies MUST deploy DMARC. For many governmental organisations it’s already a compliance requirement, but we’re also working with many brands dealing with the threat or risk of impersonation attacks.

Watch the video below to learn more about DMARC


Implementing DMARC

SMX Domain Protection Service (DPS) will ensure that DMARC is implemented correctly and smoothly. We provide:

  • A team of DMARC experts who have implemented it many times – understand the pitfalls. 
  • Top-notch customer support. Get someone on the phone when you need them. 
  • A proven project framework to fast-track the DMARC roll-out in an agreed timeframe.  
  • An ongoing managed service to ensure organisations maintain compliance and visibility of any new sending sources or malicious activity. 
  • Blend of human and Artificial Intelligence (AI) / Machine Learning (ML) analysis to recommend improvements to your DMARC configuration. 
  • Advanced integration features (e.g. Dynamic SPF, Dynamic DMARC, BIMI).  
  • Single vendor, which lowers the total cost of ownership. 

Contact us today to learn more about our Domain Protection Service.