requirements, including the implementation of DMARC*. However, new research from email security provider
EasyDMARC
revealed that two-thirds (62%) of organisations have yet to implement the required email safeguards, which means they may not be compliant with the Standard.
Established in 2004, PCI DSS has long been the foundation of payment security standards. Developed jointly by major credit card companies, it ensures consistent data security measures across the payment industry. Its primary purpose is to protect sensitive
cardholder information from theft, fraud, and data breaches by establishing rigorous security protocols for businesses that handle credit card transactions.
Recognising evolving threats, the PCI Security Standards Council has recently, with its latest 4.0.1 version, introduced stricter anti-phishing measures to combat fraudulent payment-related communications – a risk that EasyDMARC’s research found is increasing
year-on-year, according to 64% of businesses.
To better understand how businesses are preparing for the new PCI DSS Standard, EasyDMARC commissioned a study that surveyed over 500 IT decision-makers from organisations that process cardholder information across the UK, US, Australia, and New Zealand. The
research explored industry readiness and compliance with the PCI DSS 4.0.1 requirements.
The research finds 72% of businesses believe they’re on track for PCI compliance, but when asked about their preparedness, only 38% have implemented DMARC, a requirement of the new Standard. This discrepancy is fueled by a lack of awareness and expertise: 63%
are unfamiliar with the Standards’ requirements, and nearly half (49%) mistakenly believe DMARC compliance falls solely on their payment providers, overlooking their own obligation to secure payment-related communications.
These findings highlight a concerning gap between perceived readiness and actual preparedness, emphasising a need for greater awareness and proactive measures to address compliance shortcomings.
Gerasim Hovhannisyan, CEO and Co-Founder of EasyDMARC, said:
“Payment businesses handle vast amounts of sensitive data, making them prime targets for cyber threats. It’s critical they proactively strengthen email security now to avoid scrambling once an attack occurs or compliance deadlines are missed.
“Our research reveals that while 72% of businesses believe they’re on track for PCI DSS compliance, only 38% have actually implemented DMARC. This gap leaves a significant number of organizations exposed to phishing attacks and non-compliance penalties.”
Notes to Editors:
-
The study surveyed 502 IT decision-makers from the software/technology, financial services, retail, and e-commerce sectors across the UK, US, and ANZ.
-
*DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email validation system that detects and prevents email spoofing, preventing phishing attacks
-
** Requirement 5.4.1 of the new PCI DSS v4.0.1 introduces stricter anti-phishing measures requiring organisations to implement DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to protect payment-related emails from spoofing
and fraud.
