DMARC is Becoming Mandatory for PCI DSS Compliance

PCI DSS stands for Payment Card Industry Data Security Standards. It’s a set of mandatory regulations for companies that store, process, and transfer cardholder information. Companies accepting payments via Visa, MasterCard, American Express, Discover, and JCB must follow PCI compliance rules.

It’s no secret that all companies use email for day-to-day business activities. For organizations covered in PCI DSS, email is paramount for several reasons.

First of all, it’s the internal and external communication. The company may exchange sensitive payment information within its departments or sends invoices and receipts to the customer. They may also talk to third-party vendors and exchange customer details with them.

Second, organizations use email to communicate about branches, incident response, or reporting. Thus, emails might contain sensitive details.

With the PCI DSS v4, email authentication is becoming necessary for any company dealing with sensitive cardholder data. Let’s dive into the topic and see what’s changing and why.

What is PCI DSS?

The Payment Card Industry Security Standards Council (PCI SSC) is a global organization responsible for secure payment processes and data. Data Security Standards (DSS) by PCI SSC applies to companies with access to cardholder data. This set of regulations covers anti-spam, anti-phishing, encryption, and other security measures.

The PCI Data Security Standard v3 focused on protecting primary account numbers (PAN) and sensitive authentication data (SAD). It used mechanisms like encryption, hashing, truncation, or masking.

Like other regulatory bodies, PCI Security Standards Council regularly updates its security parameters to meet rising cyber threats. V4 is the latest version of the standard, the development of which started in 2017. It’s a community-based change initiative with active development and review stages. PCI SSC received 6000 feedback instances and 700 survey comments from the participating organizations.

The previous version will be retired on March 31, 2024, and v4 will get into full force. Still, the Council deems some technical and harder-to-achieve provisions as “future dated.” Organizations have until March 31, 2025, to adhere to these requirements.

Let’s dive into the changes and see what the regulation focuses on.

What are the Changes In PCI DSS v4.0?

PCI Council released security standard PCI DSS v4.0 on March 31, 2022. The provisions include a few major changes:

• Improving requirements for the PCI DSS standard and removing redundancies
• Clarifying the guidance and testing procedures for PCI DSS compliance
• Increasing the efficiency of PCI compliance reporting
• Paying more attention to targeted risk analysis, organizational maturity, and governance

Besides the above mentioned changes, email authentication protocols are reaching “center stage.” DMARC compliance is in the “future dated” provisions scope. However, companies better start thinking about taking the journey starting now.

Some other “future dated” requirements include:

• Extended At-Rest Encryption: Encrypting only the hard drive isn’t enough. Organizations should start using file-level encryption or other, more granular methods.
• Expanded Inventories for Encryption Keys: Organizations must add another layer of data protection to keys and certificates.
• Ongoing System Evaluation: The companies must make a risk profile and adapt systems to handle vulnerabilities.
• Removable Media Monitoring: Scanning and keeping logs on all removable media should become a best practice.
• Anti-Phishing Protection: Companies must find automated processes such as email authentication protocols (SPF, DKIM, and DMARC) to safeguard themselves.
• Strengthened Security for Web Scripts and Applications: Organizations should automate technical security controls and set up firewalls for user-facing systems.
• Ongoing User Account Review: Organizations should schedule a periodic (6-month) account review to ensure restricted access and event controls.
• Improved Password Security: Organizations should enforce 12-character passwords and periodic changes. They should also use MFA at all times.
• Encryption: Companies should stay current with the latest encryption trends and review the algorithms every year.

PCI DSS Requirements and Testing Procedures Version 4.0 document contains details on these and other provisions.

PCI DSS v4.0 and Email Authentication

As mentioned above, a notable area of focus in PCI DSS v4.0 is anti-fraud and email security. Organizations involved in payment card processing are in the risk group related to unauthorized access, data breaches, and phishing attacks. Thus, PCI DSS v4.0 emphasizes the need for robust email security measures to protect sensitive cardholder data.

The specific updates and requirements related to email security in PCI DSS v4.0 include the following:

• Install Strong Access Controls for Email Systems: Companies must enforce multi-factor authentication, complex passwords, and regular access reviews. These measures mitigate the risk of unauthorized access and reduce the chances of email-related security incidents.
• Protect Stored Cardholder Data within Email Systems: This rule includes encryption and proper access controls. Encrypting stored cardholder data keeps it safe and unusable, even if someone unauthorized breaches the email system.
• Track and Respond to Email-Related Security Alerts: Organizations must establish robust monitoring mechanisms and plan a prompt incident response. Reviewing system logs for suspicious activities also helps.

Besides these requirements, PCI DSS v4.0 promotes industry best practices and standards for transmitting cardholder data. PCI DSS compliance recognizes the value of email authentication, such as DMARC (Domain-based Message Authentication, Reporting, and Conformance).

DMARC helps prevent email spoofing and impersonation. It falls under the anti-phishing rule of the DSS. DMARC compliance provides organizations with monitoring mechanisms and proactive control against phishing attacks targeted at cardholder data.

In technical terms, DMARC oversees SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) alignment. It ensures that both frameworks work together and fully protect your email infrastructure.

However, PCI DSS-compliant organizations should aim for the highest level of DMARC policy enforcement. Reaching DMARC compliance is a meticulous process that needs time and patience.

The Three Levels of DMARC

When you first add your DMARC record, the best practice is to set the policy to “none.” This ensures that your administrators gather reports and watch the ecosystem before they take action and set rules. Only after you configure sending sources does it make sense to enforce the policy to the next level – “quarantine.”

“p=quarantine” is a middle ground between monitoring and rejecting unauthorized mail. Here, the receiving server sends illegitimate emails to the spam folder. This solves the issue of losing emails and gives you leeway on email deliverability.

Don’t postpone moving on from the quarantine policy. Once you’re sure to have configured the systems and listed all the sources, move to the “reject” policy. “p=reject” is the highest data protection level. It rejects all emails from unauthorized sources, giving you peace of mind about your email infrastructure, including sensitive cardholder data.

Benefits of Implementing DMARC for PCI DSS Compliance

Organizations that handle cardholder data can reap many benefits from having DMARC. Let’s focus on the top three:

• Phishing and spoofing prevention: DMARC reports help to monitor domain infrastructure. This allows time to find and fix issues before they lead to breaches and phishing attacks.
• Improved email deliverability: This is one of the indirect benefits of DMARC.
• Strengthening brand trust: With DMARC, unauthorized senders can’t send emails on your company’s behalf. Thus, building a trusting relationship with customers, partners, and vendors becomes easier.

Challenges of Implementing DMARC for PCI DSS Compliance

DMARC deployment is a technical process, and it’s quite time-consuming for many companies. Still, reaching the “reject” policy is well worth the effort. Based on EasyDMARC’s expertise with clients, we’ve identified a few aspects of the implementation process that can be especially challenging:

• Organizational resistance: The higher-ups should recognize the need for email authentication. Otherwise, implementing the change is going to take a lot of work.
• Legacy systems: Outdated systems and software that don’t support DMARC may suspend the process until the teams find workarounds.
• No technical expertise: This one usually stems from the previous two points. If the in-house team has issues during deployment, the organization better outsource the process to experts. This usually happens to companies with large and complicated infrastructures.

• Data Volume and Processing Challenges: Large organizations with high email volumes may find it challenging to process and analyze DMARC reports. The sheer volume of data can strain resources. In such cases, robust reporting and analysis tools come to the rescue. Finding a scalable data processing and analysis solution becomes important.
• Lack of Email Infrastructure Visibility: Having complex or decentralized email infrastructure is another challenge. Companies may struggle to gain complete visibility into all authorized and unauthorized email sources. The process usually requires cross-team collaboration.
• Third-Party Services and Email Forwarding: Many domains, subsidiaries, third-party services, and email forwarding complicate DMARC implementation. This is where coordinating with third parties and trusting DMARC experts changes things.
• False Positives and Email Deliverability: DMARC implementation is a meticulous process. Skipping steps into aggressive policy enforcement can incorrectly flag legitimate emails as unauthorized and reject them.

Organizations can solve these problems by seeking help from outside experts. They can also collaborate with DMARC service providers or turn to industry resources and forums. Organizations should also cooperate with vendors and stakeholders to address technical, operational, and cultural obstacles.

Regular communication, training, and ongoing DMARC monitoring help meet PCI DSS compliance email security requirements.

DMARC Implementation Guide for PCI DSS Compliance

DMARC is a good way to improve email security and meet PCI standards. We’ve compiled a step-by-step guide to help you quickly enhance security systems and processes.

Step 1. Assess Current Email Infrastructure

Begin by assessing your company’s current email infrastructure. Identify the email systems, domains, and third-party services involved in sending and receiving emails on behalf of your organization. Find out if your domain has existing authentication mechanisms like SPF and DKIM and test their effectiveness. In short, establish the baseline.

Step 2. Develop a DMARC Implementation Plan

With the assessment complete, you’ll be able to pinpoint your company’s specific needs. Create a comprehensive plan for DMARC implementation tailored to your organization’s requirements and email environment.

The plan should include key milestones, timelines, and responsible stakeholders involved in the implementation process. Map out dependencies or integration requirements with existing email systems and third-party services.

Step 3. Configure SPF and DKIM

DMARC uses two authentication mechanisms – SPF and DKIM. Thus, you’ll have to start your DMARC journey by first addressing these protocols and their configuration. Aligning these mechanisms with DMARC helps maximize the effectiveness of email authentication and strengthens security.

Step 4. Setup DMARC

Use a special DMARC Generator tool to create the DMARC record. Add it to your DNS to start setting up DMARC. Pay attention to DMARC tags.

The first and most important is “p,” the policy tag. You should set it to “none” before continuing with DMARC enforcement.

The “rua” and “ruf” tags need the correct configuration. They’re responsible for getting reports. DMARC aggregate and failure reports are the driving force for the framework. They give valuable insights into email authentication failures, sources of unauthorized emails, and general email ecosystem health.

Set Up DMARC Reporting and Analysis

Getting reports is the first step to understanding your email infrastructure. Analyze these reports to identify any issues, patterns, or anomalies. Use appropriate tools to make the process easy and painless.

Ongoing Monitoring and Maintenance

Reaching “p=reject” isn’t the last step in your DMARC journey. Continuous maintenance and report analysis will help you stay on top of the changes in your domain infrastructure. Review and update DMARC policies to adapt to changing business requirements and evolving security threats.

Bonus: DMARC Best Practices for PCI DSS Compliance

Following our DMARC compliance guide is the best way to go through your journey. Our products are also by far the easiest way to install and maintain robust security measures for your domain infrastructure.

Still, here are a few more best practices for a better picture.

Enforce DMARC Policies One Without a Hurry

Start DMARC implementation with the monitoring policy – “p=none.” While on “none,” you’ll gain insights into the email ecosystem. You’ll be able to identify legitimate senders and pinpoint fraudulent email activity.

The change to p=quarantine and, eventually, “p=reject” shouldn’t be immediate. Skipping steps and hurrying can make your emails get lost in transit and never reach the receiver.

Train Your Employees

DMARC implementation may be too technical, but its impact is direct and practical. Thus, employees should be aware of the changes you’re making in the background. Adding in a few employee cyber awareness and anti-phishing programs will also help. These will educate them about their role in building and maintaining a secure email environment.

Continuous Maintenance

DMARC implementation is an ongoing process. All organizations change and grow. As your company grows, you add more sending sources. This means that the domain infrastructure will need an upgrade.

You must also stay updated with industry best practices and refine your DMARC policies and authentication mechanisms.

Conclusion

While both versions of PCI DSS are still in action, the date of adhering to “future dated” provisions might seem far. Still, DMARC deployment takes time and effort, so it’s smart to start early. This will give you plenty of time to refine PCI DSS compliance.

The industry’s fastest DAMRC deployment is possible with EasyDMARC’s smart cloud-native platform. Feel free to get in touch with us for more details.