SPF, DKIM, and DMARC

Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC

ByBrad Slavin
Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC
Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC
/

Most cyberattacks are aimed at financial gain. Since so many online platforms require credit and debit cards for payments, card fraud is on the rise. With more than 17.45 billion credit, debit, and prepaid cards in use globally, fraudsters today have more opportunities than ever to exploit them. The situation is so bad that as many as 62 million Americans experienced credit card fraud in 2024. 

With such grave news and statistics emerging daily, the Payment Card Industry (PCI) has recognized the need to establish stricter security controls over the extensive and ever-expanding digital payment ecosystem.

Therefore, in June 2024, PCI began recommending DMARC, SPF, and DKIM to strengthen cybersecurity, as outlined in Section 5.4.1 of its updated PCI DSS version 4.0.1.

This blog discusses what SPF, DKIM, and DMARC are and why PCI encourages their deployment.

Sender Policy Framework

What are SPF, DKIM, and DMARC- a brief explanation

SPF (Sender Policy Framework)

It’s an email authentication protocol that allows the domain owner to list all the mail servers and IP addresses they trust and authorize to be used for sending emails on their behalf. Any email sent from an IP address or mail server outside of the list is considered unauthorized and potentially fraudulent. The domain owner directs the recipient’s server to either mark such illegitimate emails as spam or reject them altogether. This helps prevent phishing emails from reaching the victim’s inbox

DKIM (DomainKeys Identified Mail)

DKIM lets the sender attach a digital signature to each outgoing email. This signature is created using a private cryptographic key and is added to the email’s header. When the email reaches the recipient’s server, it retrieves the sender’s public key from DNS records to verify that the email’s content hasn’t been tampered with during transit and that it was truly sent by the claimed domain.

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is built on the results of SPF and DKIM. If an incoming email fails both checks, DMARC tells the receiving server what to do — deliver, quarantine, or reject it — based on the sender’s published DMARC policy. It also provides reports, allowing domain owners to monitor and improve their email security

The role of emails in payment fraud

Emails are often the first point of attack for threat actors trying to get their hands on credit and debit card details or tricking companies into wire transferring money to their accounts. They send impersonated phishing emails that are written so flawlessly and convincingly that recipients often don’t bat an eye before proceeding with the request made by them. They usually send the emails in the name of reputed banks, vendors, or even internal executives to:

Business Email Compromise (BEC) attacks
  • Steal cardholder information by tricking employees or customers into entering details on fake websites.
  • Launch Business Email Compromise (BEC) attacks where they convince finance teams to make unauthorized wire transfers.
  • Distribute malware that captures payment information from internal systems.
  • Spoof legitimate domains to make the fraudulent email look credible and bypass basic security checks.

Since the Payment Card Industry handles sensitive, high-value transaction data, even a single successful email scam can result in substantial financial losses, regulatory penalties, and reputational damage.

Who is affected by PCI’s new requirement?

With this new requirement, all organizations, including merchants, must implement and properly configure DMARC for their domains. This ensures that only authorized and legitimate emails pass security checks and land in the recipients’ inboxes, mitigating the risk of threat actors impersonating employees of credible organizations and duping them into sharing sensitive financial details

Cybersecurity

This new rule is expected to have a significant impact on overall cybersecurity, as it affects anyone involved in handling payment card data, including merchants, payment processors, banks (issuers and acquirers), and service providers. It primarily affects-

  • Systems, people, and processes that store, process, or send cardholder data or sensitive authentication data (SAD).
  • Systems, people, and processes that, even if not directly handling card data, could still affect the security of the cardholder environment.
  • Systems that don’t handle card data directly but are connected to systems that do, and could be exploited to access sensitive information.

Sensitive Authentication Data (SAD) includes elements like CVV codes, full magnetic stripe data, PINs, and PIN blocks. This information is highly sensitive, and if a malicious entity gains access to it, they can commit significant financial fraud. That’s precisely why storing SAD after payment authorization is strictly forbidden

cvv codes

Impact on the finance and payment companies

This significant security measure imparts the following benefits to the finance and payment companies, especially the ones storing card details-

1. Stronger defense against phishing and spoofing emails

Cybercriminals often hack email accounts or create fake ones to send convincing emails — now made even easier with the use of AI tools — pretending to be trusted companies. They trick prospects, clients, or employees into clicking fake links or sharing their credit card information.. Since these messages appear to come from a legitimate source, recipients proceed with the request. 

However, with SPF, DKIM, and DMARC in place, such emails are filtered and blocked, thereby protecting victims from cyber threats.

phishing and spoofing emails

2. Enhanced regulatory compliance

When these email authentication protocols are implemented, organizations demonstrate their commitment to protecting sensitive customer data, thereby meeting regulatory requirements and avoiding potential penalties.

3. Competitive advantage

By adopting these security measures early, financial companies can show they take cybersecurity seriously. It helps them stand out from competitors and build trust with customers and partners who care about security.

The way forward

Over the last year, many organizations and regulatory bodies have begun emphasizing the adoption of DMARC. It has become a standard part of primary checklists or security features that prospects consider before investing in new services—and considering the current digital threat landscape, it is only wise to do so.

So, if you also store cardholder data but haven’t set up DMARC for your domain, please contact us. Let us help you avoid losing business or becoming entangled in legal issues due to security concerns.

Similar Posts

Major Cybersecurity Trends That Will Reign in 2024

Major Cybersecurity Trends That Will Reign in 2024

ByBrad Slavin

2023 was a testament to the relentless advancement of cyber threats, as we witnessed a wave of sophisticated attacks ranging from damaging phishing scams to complex ransomware operations. And to think that dealing with the wrath of these attacks would have been easy is a mistake! Keeping the business up and running, protecting sensitive information,…

The Importance of Email Statistics in Email Security and How DMARC Can Help

ByBrad Slavin

Listen to this blog post below emailsecurity · Email Stats And DMARC: Enhancing Security Email statistics, especially DMARC statistics, can be an invaluable tool in enhancing the email security of any organization by preventing spoofing and safeguarding its reputation. In this digital era, email communication is the most widely used channel for information exchange in…

How to Add a DMARC Record to DNS?
| |

How to Add a DMARC Record to DNS?

ByBrad Slavin

Learning how to generate and add a DMARC record to DNS helps fortify phishing and spoofing attacks. DMARC is short for Domain-based Message Authentication Reporting and Conformance, a protocol designed to help recipients’ mail servers identify genuine and suspicious emails.  To add a dmarc record to DNS, you need to update your DNS settings with…

How Often Should You Rotate Your DKIM Keys?

ByBrad Slavin

DKIM, which is short for DomainKeys Identified Mail, is an email authentication method that supports a receiver’s email server in verifying if the signed fields of an incoming email have been tampered with in transit or not. This phenomenon is performed by matching the public and private keys at the recipient’s end.  As per M3AAWG…

What is a DMARC Policy, and How Does It Affect Sending My Emails?

ByBrad Slavin

Listen to this blog post below DMARC Report · What Is A DMARC Policy, And How Does It Affect Sending My Emails? This text will delve into the details of DMARC and share how it influences the sending of emails. Read on to how this email authentication protocol works. Email is the primary communication tool…