Learn how DMARC helps with PCI Compliance

Chapter 7

9 min

The PCI DSS (Payment Card Industry Data Security Standard) is a set of security guidelines designed to ensure that organizations securely process, store, or transmit financial cardholder information. As a global standard, PCI DSS includes 12 core requirements with over 300 sub-requirements and controls. The level of mandatory compliance depends on the type of cardholder data your organisation handles and your business model.

Failure to comply with PCI DSS can lead to severe consequences, including monetary fines and reputational damage. To mitigate these risks, most organizations handling cardholder data aim to maintain compliance.

One key element is the setup and ongoing maintenance of Domain-based Message Authentication, Reporting, and Conformance (DMARC). This article explores the role of DMARC in PCI DSS compliance and also shares some important security best practices to keep in mind when maintaining DMARC.

Summary of key email security protocols and their importance

Concept	Description
Overview of DMARC	DMARC is an email security protocol that is implemented as a DNS TXT record by domain owners to help improve domain impersonation protection.
Overview of PCI DSS	PCI DSS is a set of security standards that a company must comply with if it processes any type of credit card information.
Why DMARC matters for PCI DSS compliance	Helps prevent email spoofing or impersonation, reducing the risk of payment card data being stolen in phishing emails. Improves email security monitoring and protects against malware that is spread via email.
DMARC best practices in PCI-Compliant environments	Securely set up SPF and DKIM Enforce DMARC in strict mode Regularly reviewing PCI DSS security standards for changes
How to maintain DMARC over time	Regularly review your DMARC, SPF, and DKIM records, analyze DMARC reports, and document any updates to ensure compliance with PCI DSS audit requirements.

Overview of DMARC

DMARC is a relatively new email authentication protocol that is built on top of DKIM/SPF. It was created by the Internet Engineering Task Force (IETF) community in 2012 to address a significant weakness of DKIM and SPF: the lack of alignment between these protocols and the "From" email header.

Moreover, DMARC allows domain owners to receive two types of DMARC reports: one that summarizes all DMARC verifications performed by receiver mail servers on the Internet for your domain, and another, a detailed report focused only on failed DMARC verifications.

Both these additions help improve the overall email security and prevent email spoofing or business email compromise (BEC). Note that, while the technical DMARC setup and reports are not in scope of this article, we explore DMARC in detail in another article of this multi-chapter guide.

Overview of PCI DSS

PCI DSS is a global information security standard developed by the Payment Card Industry Security Standards Council (PCI SSC). It is designed to ensure that all organizations that process, store, or transmit credit card information maintain a secure (IT) environment.

Compliance with this security standard affects merchants, service providers, and any entity involved in the card payment ecosystem.

PCI DSS is comprised of the following 12 core security requirements:

Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data by encrypting it and ensuring it is stored securely.
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update anti-virus software or programs to protect systems against malware.
Develop and maintain secure systems and applications by addressing vulnerabilities through patch management and security updates.
Restrict access to cardholder data by using strong access control measures.
Identify and authenticate access to system components by assigning unique IDs to each person who has computer access.
Restrict physical access to cardholder data through security controls like locks and surveillance.
Track and monitor all access to network resources and cardholder data using logging mechanisms.
Regularly test security systems and processes through vulnerability scanning, penetration testing, etc.
Maintain an information security policy that addresses the security requirements of your organization.

While compliance with all these requirements is recommended, it is not mandatory. Various factors influence the degree of PCI DSS compliance required for your organization, such as:

Volume of financial transactions
Payment environment (e.g., e-commerce or in-person)
Type of financial data processing
Type of payment methods and systems

Why DMARC matters for PCI DSS compliance

Phishing or BEC is the most popular initial attack vector that threat actors use to breach a company. This often leads to a malware infection, ransomware, data exfiltration, (financial) data tampering and abuse, persistence access to sensitive data, etc. To avoid such severe consequences, it is crucial to boost your overall email security.

One of the methods to achieve this is implementing DMARC in addition to SPF and DKIM. The main purpose of DMARC is to prevent domain spoofing and provide regular DMARC authentication reports. However, it also indirectly contributes to PCI DSS compliance by partially satisfying the following requirements:

Requirement 3: Protect stored cardholder data

While this requirement is more concerned with the encrypted secure storage of cardholder data, a successful targeted phishing attack undermines data security. For example, if the phishing target is authorized to decrypt and access cardholder data, they might provide this information to a threat actor that is impersonating the CFO. Despite the many security measures in place protecting the data from unauthorized entities, this attack vector bypasses all of them.

Your organization can mitigate this by implementing DMARC, which ensures that spoofed spearphishing emails impersonating your domain are not delivered to your employees.

Requirement 7: Restrict access to cardholder data

Phishing aims to steal credentials from victims. By enforcing DMARC verification on your mail servers, phishing emails impersonating major brands like Microsoft or PayPal will be stopped before they reach your employees, preventing a credential compromise. For example, if the organization is using the Microsoft 365 Suite and a victim’s credentials are phished, a threat actor can use this access and enumerate all SharePoint or OneDrive files the victim has access to. This data might include cardholder information.

Requirement 10: Track and monitor all access to network resources and cardholder data

DMARC reports provide visibility into email authentication for your domain, which helps identify spoofed emails from your domain. By tracking unauthorized email sources, DMARC enables organizations to monitor and identify potentially malicious activity, supporting broader security monitoring efforts around sensitive data.

Requirement 11: Regularly test security systems and processes

DMARC is an important part of any email security testing when it comes to domain spoofing. Same as SPF and DKIM, regular maintenance and report analysis are required to assess the effectiveness of your email security defenses.

DMARC security best practices in PCI-Compliant environments

You can follow the best practices below to ensure the effectiveness of DMARC and its contribution to PCI DSS.

Correctly set up DMARC

Given that DMARC relies on the correct setup of SPF and DKIM, it is crucial to double-check and ensure that these implementations are also secure and follow security best practices. Furthermore, to fully benefit from DMARC, after proper testing, ensure that the DMARC record is set to p=reject. This way, any spoofed email that fails DMARC verification will be rejected and never reach the intended victim, preventing potential cyberattacks or data exfiltration of cardholder information.

Integrate DMARC with your security operations

To make use of DMARC XML reports, consider integrating them with a SIEM solution or a solution that automatically parses and analyzes such reports. This enables the security team to correlate DMARC authentication results with other logs, providing a more comprehensive view of the organization’s security posture and facilitating the identification of attack patterns. Moreover, this helps satisfy the 10th requirement of PCI DSS.

For instance, if DMARC reports reveal that a particular IP address is sending a large volume of spoofed emails using your domain, and other log sources also show that the same IP is attempting to exploit vulnerabilities in your public-facing systems, this could indicate a coordinated and targeted attack on your organization. The attack against the public-facing systems might not seem unusual to a security analyst since the entire Internet constantly scans all public-facing systems. However, if the same IP is also observed in spoofed emails and reported by DMARC, this might indicate an active attempt to breach your organization. As a result, your organization can block the malicious IP address, thwarting a cyberattack in its early steps.

Review changes in PCI DSS requirements

Like any security standard in an ever-changing IT environment, PCI DSS guidelines also change with time. If PCI DSS requirements evolve, so should the security measures implemented to comply with them. Your organization must periodically review and ensure that its email authentication policies remain aligned with current standards.

How to maintain DMARC over time

It's crucial to understand that PCI DSS, like any security standard, is not a one-time task. Regular audits, often conducted by various (government) agencies, are necessary to verify ongoing compliance with these standards. This means your organization must be prepared and consistently meet compliance requirements before such audits to avoid penalties or fines.

Regularly monitoring DMARC, documenting/logging any changes to the DMARC record, and analyzing the daily DMARC XML reports are essential to prove the ongoing compliance with PCI DSS. While this might sound like a lot of work, you can implement a solution that performs all these cumbersome steps and takes the burden off your shoulders, allowing you to focus on other areas of PCI DSS compliance that require your attention.

Lastly, since DMARC depends on SPF and DKIM for proper functioning, it's important to regularly monitor and maintain these protocols as well.

By maintaining proactive DMARC monitoring and maintenance, your organization can stay ahead of email spoofing and phishing threats, ensuring continued PCI DSS compliance in the long run.

card-4

Final words

The PCI DSS is a set of security standards that consists of 12 security requirements that an organization must comply with to be considered fully compliant. While email security alone is not enough to fully comply with these 12 requirements, it can partially contribute to requirements 3, 7, 10, and 11. Remember, setting up DMARC alone is not enough to remain PCI DSS-compliant; regular DMARC monitoring and report analysis are also necessary.

Previous Chapter Next Chapter