Research indicates that two-thirds (62%) of organisations have yet to implement the required email safeguards ahead of the March 31st deadline for the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 compliance, which means they may not be compliant with the Standard.
Specifically, says the research from EasyDMARC, businesses handling card payments must meet new anti-phishing requirements, including the implementation of DMARC.
Established in 2004, PCI DSS has long been the foundation of payment security standards. Developed jointly by major credit card companies, it ensures consistent data security measures across the payment industry. Its primary purpose is to protect sensitive cardholder information from theft, fraud, and data breaches by establishing rigorous security protocols for businesses that handle credit card transactions.
Recognising evolving threats, the PCI Security Standards Council has recently, with its latest 4.0.1 version, introduced stricter anti-phishing measures to combat fraudulent payment-related communications – a risk that EasyDMARC’s research found is increasing year-on-year, according to 64% of businesses.
To better understand how businesses are preparing for the new PCI DSS Standard, EasyDMARC commissioned a study that surveyed over 500 IT decision-makers from organisations that process cardholder information across the UK, US, Australia, and New Zealand. The research explored industry readiness and compliance with the PCI DSS 4.0.1 requirements.
The research finds 72% of businesses believe they’re on track for PCI compliance, but when asked about their preparedness, only 38% have implemented DMARC, a requirement of the new Standard. This discrepancy is fueled by a lack of awareness and expertise: 63% are unfamiliar with the Standards’ requirements, and nearly half (49%) mistakenly believe DMARC compliance falls solely on their payment providers, overlooking their own obligation to secure payment-related communications.
EasyDMARC says these findings highlight a concerning gap between perceived readiness and actual preparedness, emphasising a need for greater awareness and proactive measures to address compliance shortcomings.
Gerasim Hovhannisyan, CEO and Co-Founder of EasyDMARC, said: “Payment businesses handle vast amounts of sensitive data, making them prime targets for cyber threats. It’s critical they proactively strengthen email security now to avoid scrambling once an attack occurs or compliance deadlines are missed.
“Our research reveals that while 72% of businesses believe they’re on track for PCI DSS compliance, only 38% have actually implemented DMARC. This gap leaves a significant number of organizations exposed to phishing attacks and non-compliance penalties.”
