By the end of March 2025, DMARC implementation will be mandatory in PCI DSS (Payment Card Industry Data Security Standards) version 4.0. This is a future-dated requirement by the PCI SSC (PCI Security Standards Council), which gives companies dealing with card information time to prepare, but many companies are still unfamiliar with DMARC policies and how to get to the goal of p=reject (“p=reject” is the highest data protection level. It rejects all emails from unauthorised sources, giving you peace of mind about your email infrastructure, including sensitive cardholder data).
Furthermore, organisations may also not be aware that the process of getting to a DMARC policy of p=reject could take 6-12 months depending on the complexity of your environment.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is an email authentication protocol that helps email domain owners protect their domain from unauthorised use, commonly known as email spoofing, and will protect companies from email-based attacks like phishing and impersonation.
DMARC is essential for organisations that process personal identifiable information (PPI) because it helps prevent unauthorised access to sensitive data. By implementing DMARC, organisations can ensure that only authorised personnel can access PPI, thereby reducing the risk of data breaches and cyber-attacks. DMARC also helps organisations comply with data protection regulations such as GDPR.
How does it work?
DMARC uses two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate the outgoing messages. It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the from: field presented to end users; how the receiver should deal with failures and provides a reporting mechanism for actions performed under those policies.
- Publishing your DMARC record – The DMARC txt-record must be published on each domain owned by the organisation
- Collecting data – After the DMARC record is published, DMARC source information will be received.
- Analysing the data – Authorised and illegitimate sources per domain can then be identified.
- Authenticating the authorised sources – After the authorised sources are detected, authentication for SPF and DKIM per domain is set.
- Start enforcing the policy – Once authentication is aligned, you can safely move to a reject policy for each domain.
Who needs it?
Any organisation that processes, stores, or transmits any form of card data will require DMARC to be implemented to be compliant with the new PCI-DSS V4.0 regulations. The industries to focus on are:
- Healthcare – The healthcare industry handles sensitive patient information, including payment card data for medical services.
- Retail and e-commerce – Retailers extensively process card payments, making them a prime target for data breaches.
- Hospitality – The hospitality industry handles a significant volume of credit and debit card transactions, including hotels, resorts, and restaurants.
- Financial services – They process the card payment for the industries above, therefore require PCI-DSS compliance.
Mimecast DMARC Analyzer and Managed Services
Infinigate Cloud and Mimecast are here to help. With Mimecast’s DMARC Analyzer, which provides Best in Breed monitoring and reporting tools, it can help you and your customers attain a p=reject status. If you do not have the in-house skills or capacity to provide this service yourself, Mimecast also offers a fully managed service that will guide you all the way to completion of the project.
For more information
As a born in the cloud distributor with a deep technical heritage, Infinigate Cloud continually invest in our teams and evolve our value-add services to ensure we deliver the very best in technical expertise and 24*7 support for our partners.
If you are interested in finding out about how we can help you add value to your business or you would like to know more about Mimecast’s DMARC Analyzer, please contact us and we’ll be happy to chat through any of your questions.
By becoming an Infinigate Cloud partner, you will be allocated a dedicated Account Manager, access to world-class support, an integrated provisioning and billing platform and a training and enablement program that can you spark your growth.