As cyberattacks rise and phishing remains a major threat, regulations are growing more rigorous to strengthen security. Companies involved in financial transactions face numerous compliance requirements, one of which is PCI DSS. With the upcoming 31 March 2025 deadline for PCI DSS v4.0.1 compliance, EasyDMARC conducted research to gauge how prepared businesses are. This report sheds light on the worrying gaps in email security, specifically DMARC adoption, despite growing regulatory pressure.
The Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2004 to protect payment transactions and prevent fraud. Since then, this framework has undergone multiple revisions to address evolving cyber threats. The latest version, PCI DSS v4.0.1, enforces stricter security controls, including email authentication measures, to combat phishing and spoofing attacks. However, EasyDMARC’s research indicates that while many companies claim to be prepared, their actual readiness, particularly regarding DMARC implementation, is lacking.
The State of PCI DSS in 2025
EasyDMARC’s study surveyed 502 IT decision-makers across various industries impacted by PCI DSS v4.0.1, including financial services, retail, and e-commerce. Our findings suggest gaps between organizations’ stated compliance and their actual security measures. While 72% of companies that process their own payments state they are ready for PCI DSS v4.0.1, only 38% have implemented DMARC, exposing them to phishing threats and compliance risks. Many organizations remain unaware of the mandatory email security measures outlined in the new standard, underscoring the need for increased education and enforcement.
Phishing Attacks Continue to Rise
Phishing remains one of the most significant cyber threats, particularly for organizations handling payments. EasyDMARC’s research found that 64% of businesses experienced an increase in phishing attacks over the past year, with 25% reporting a significant surge. Cybercriminals frequently target merchants and financial institutions to steal sensitive payment data, making email security a crucial line of defense.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a powerful tool against phishing attacks. By authenticating emails, DMARC prevents unauthorized parties from impersonating legitimate domains. However, despite its effectiveness, adoption remains low, leaving many companies vulnerable.
Organizations Remain Unfamiliar with DMARC
Despite DMARC’s inclusion in PCI DSS v4.0.1, most organizations remain unaware of how it works. The report found that only 40% of companies processing their own payments are very familiar with DMARC requirements, while 19% admitted to lacking knowledge on the subject.
Many businesses mistakenly believe that compliance responsibilities fall solely on third-party payment providers, leading to a false sense of security. In reality, PCI DSS mandates that all merchants secure their payment-related communications to mitigate phishing risks. The widespread lack of awareness highlights the urgent need for DMARC education and industry-wide enforcement.
DMARC Adoption Remains Low
Despite its critical role in securing email communications, DMARC adoption remains sluggish. Currently, only 38% of companies have implemented DMARC, while 48% plan to do so in the near future. However, 14% have no plans to implement DMARC at all, exposing themselves to heightened phishing risks and potential compliance penalties.
The slow adoption rate can be attributed to several factors:
- Lack of technical expertise: 39% of businesses cite a lack of in-house knowledge as a major barrier.
- Limited awareness of DMARC’s benefits: 36% do not fully understand how DMARC mitigates phishing risks.
- Concerns about email deliverability: 11% worry that incorrect DMARC configurations might disrupt legitimate email flows.
However, inaction is not an option. Phishing threats continue to grow, and businesses that fail to implement DMARC risk falling victim to increasingly sophisticated attacks.
What is DMARC, and How Does it Help?
DMARC is an email authentication protocol designed to prevent domain spoofing and phishing attacks by enabling domain owners to specify policies for validating emails.
Pros of DMARC
- Protects against phishing and spoofing attacks
- Enhances brand reputation and trust
- Improves email deliverability by reducing spam-related rejections
- Provides detailed reporting on email authentication results
- Simplifies compliance with PCI DSS v4.0.1
Cons of DMARC:
- Requires technical expertise for correct implementation
- Improper configurations may impact email deliverability
- Without professional guidance, businesses may struggle to enforce DMARC policies
How Prepared Are Businesses for PCI DSS v4.0.1?
Our research focused on two types of companies: those that process their own payments and those that use third-party payment providers. The findings reveal varying levels of preparedness across both groups, highlighting key areas where businesses need to strengthen their compliance efforts.
Companies that Process Their Own Payments
Among businesses that handle their own transactions, 72% of respondents claimed readiness for PCI DSS v4.0.1, while 27% anticipated compliance by the 31 March 2025 deadline. However, many still lacked clarity on DMARC requirements, with 19% admitting they have little knowledge of its role in email security.
Companies that Use Third-Party Payment Providers
Businesses relying on third-party payment providers often assume compliance is solely the provider’s responsibility. However, PCI DSS v4.0.1 explicitly requires merchants to secure their email communications. Alarmingly, 63% of these businesses remain uncertain about PCI DSS v4.0.1 compliance requirements regarding DMARC, and nearly half are unfamiliar with DMARC’s role in preventing fraud.
Why Are Companies Slow to Implement DMARC?
Our research highlighted several challenges that hinder DMARC adoption:
- Knowledge gaps: Many businesses are unaware of DMARC’s security benefits.
- Technical barriers: Configuring DMARC correctly requires expertise that many organizations lack.
- Concerns about email deliverability: Fear of legitimate email disruptions leads some to avoid DMARC implementation.
- Lack of leadership buy-in: Without executive support, security improvements often stall.
How to Prepare for PCI DSS v4.0.1 Compliance
To meet PCI DSS v4.0.1 requirements and strengthen email security, businesses should take the following steps:
1. Learn About PCI DSS v4.0.1 Requirements
Understand the updated security measures and how they apply to email security. Businesses must recognize that DMARC compliance is not optional but a mandated requirement.
2. Assess Your Security and Start to Implement DMARC
Conduct a security audit to identify vulnerabilities in email communications. Implementing DMARC through a comprehensive platform like EasyDMARC, with the support of the EasyDMARC engineering team, simplifies the process and ensures proper configuration.
3. Move Towards DMARC Enforcement Gradually
Enabling DMARC is just the first step; moving toward a p=reject policy is essential for blocking fraudulent emails. A gradual transition, guided by DMARC experts, ensures security while preventing disruptions to legitimate emails.
4. Consult DMARC Specialists
DMARC implementation requires expertise to avoid misconfigurations and security gaps. DMARC specialists can help with policy enforcement, interpreting reports, and ongoing monitoring to maintain compliance.
5. Maintain Compliance
Compliance is an ongoing process. Regular monitoring and policy updates are essential to keeping email security measures effective. Partnering with a trusted provider like EasyDMARC ensures continuous compliance and protection against emerging threats.
DMARC is the First Line of Defense
DMARC is not just a compliance requirement; it is a fundamental security measure that businesses must prioritize. Tech giants like Google and Yahoo have long championed DMARC adoption, underscoring its role in protecting email communications. In February 2024, Google and Yahoo mandated that bulk email senders authenticate emails using SPF, DKIM, and DMARC with at least a ‘p=none’ policy.
However, it’s important to note that DMARC is just one layer in a broader cybersecurity framework. Just as companies implement two-factor authentication (2FA) and antivirus software, DMARC should be a standard practice in fraud prevention strategies. Upcoming Visa VAMP changes related to fraudulent and disputed transactions further highlight the importance of email security in financial transactions.
Despite the knowledge gaps and challenges, DMARC implementation doesn’t have to be difficult. With partners like EasyDMARC, businesses can simplify deployment, ensure compliance, and protect themselves from ever-growing cyber threats.
Find out more in our report, ‘State of PCI DSS v4.0.1 Compliance and Email Security in 2025‘.
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us