PCI DSS v4 Now Requires DMARC – What You Need to Know

If your business handles cardholder data, you’re likely familiar with PCI DSS, the security standard that governs how payment data is processed and protected. But as of March 2025, there’s a new requirement that might catch some organisations off guard: DMARC (Domain-based Message Authentication, Reporting and Conformance) is now part of the standard.

So what does that mean, and what do you need to do about it?

First, What Is DMARC?

DMARC is an email authentication protocol that helps prevent phishing, spoofing, and other email-based attacks. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) by giving domain owners a way to:

• Tell receiving email servers how to handle messages that fail authentication
• Request reports on how their domain is being used

In short: it gives you visibility and control over your domain’s email reputation.

What’s Changed with PCI DSS v4.0?

Under Requirement 8.6.1 of PCI DSS v4.0 (as of 31st March 2025), organisations must implement controls to protect against email-based threats and that includes having a DMARC policy in place for all domains used to send emails.

This means:

• You can no longer skip DMARC if you’re subject to PCI compliance
• You need to align SPF, DKIM, and DMARC properly
• The policy must be configured to enforce protection (not just monitor)

What Happens If You Don’t Implement DMARC?

Non-compliance could mean:

• Failing a PCI audit
• Increased risk of phishing attacks using your domain
• Potential fines or restrictions from card processors or acquiring banks

More critically, it leaves your staff and customers vulnerable to impersonation attacks that are easily preventable.

How to Get Compliant

1. Check if your domain has a DMARC record
   Use tools like MXToolbox or nslookup to see if a DMARC record exists.
2. Start in ‘none’ mode
   Use p=none to begin collecting reports without impacting mail flow.
3. Review reports and align SPF/DKIM
   Ensure all authorised senders are covered.
4. Move to ‘quarantine’ or ‘reject’
   Once you have full visibility, update the policy to enforce protection (p=quarantine or p=reject).
5. Document everything
   Auditors will expect clear records of implementation, monitoring, and enforcement.

Need Help?

DMARC isn’t just a checkbox, it’s a vital part of securing your business email and protecting your reputation. If you’re navigating PCI compliance or unsure where your domains stand, we can help review, configure, and monitor everything for peace of mind.

Let’s make compliance easier and your email safer.

You may also like

How Microsoft 365 products help with GDPR compliance Why You Need to Pay Attention to Secure Business Email Security Right Now What Happens After a GDPR Breach? The 5 Big Potential Consequences NIS2 vs UK Cybersecurity Regulations: How UK Businesses Can Stay Compliant and Secure