62% of payment firms risk non-compliance with DMARC

According to new research by EasyDMARC, a significant number of businesses handling payments are at risk of missing the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 compliance due to delays in implementing the required DMARC protocol.

The research highlights that 62% of these organisations have not yet adopted DMARC, which is now mandated as an anti-phishing measure by this latest version of PCI DSS. This gap in compliance is concerning given the rising threat of phishing attacks, with 64% of businesses reporting an increase over the past year.

DMARC, an abbreviation for Domain-based Message Authentication, Reporting, and Conformance, safeguards against email spoofing by verifying sender authenticity. This security measure is crucial in blocking fraudulent emails before they reach inboxes, protecting businesses and their customers from potential cyber threats.

Despite DMARC's critical role in enhancing email security, only 38% of PCI DSS-regulated businesses have implemented the protocol, although 72% of them believe they are ready to comply with the requirements. This discrepancy reveals a significant disconnect between perceived and actual compliance with DMARC, largely attributed to a lack of internal expertise, awareness, and technical strategy necessary for effective implementation.

Gerasim Hovhannisyan, CEO and Co-Founder of EasyDMARC, stated, "Payment businesses handle vast amounts of sensitive data, making them prime targets for cyber threats. It's critical they proactively strengthen email security now to avoid scrambling once an attack occurs or compliance deadlines are missed."

EasyDMARC's research findings underline that 49% of businesses admit to having limited knowledge about DMARC or how to implement it, and 39% cite the lack of expertise or the technical complexity involved as major hurdles in adopting the protocol.

The PCI Security Standards Council has introduced stricter anti-phishing measures in response to evolving threats. These measures include the necessity for businesses to implement not just DMARC but also Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to safeguard payment-related emails from fraud and spoofing.

The study conducted by EasyDMARC surveyed 502 IT decision-makers from various sectors, including software/technology, financial services, retail, and e-commerce across the UK, US, Australia, and New Zealand. The research evaluated industry readiness and compliance with the updated PCI DSS 4.0.1 standards.

Expressing concern over the findings, Gerasim Hovhannisyan said, "Our research reveals that while 72% of businesses believe they're on track for PCI DSS compliance, only 38% have actually implemented DMARC. This gap leaves a significant number of organisations exposed to phishing attacks and non-compliance penalties."

The findings point to a need for increased awareness and more proactive measures among businesses to address the compliance shortfall, ensuring that organisations are both aware of and equipped to meet the new PCI DSS requirements ahead of the looming deadline.