The PCI Security Standards Council (PCI SSC) is a global association tasked with developing and sharing data security standards that help ensure secure payments. Industry participants work to define ongoing enhancements that help the payments industry to strengthen security. Adherence to the standards helps ensure businesses mitigate the risk of breaches.
The Payment Card Industry Data Security Standard (PCI DSS) v4.0 was released in March 2022 to help meet challenges facing the payment industry. As the payment landscape continues to evolve, new standards are promoted to enhance security practices and strengthen data protection efforts.
The new standards include a customized approach for implementing requirements to give organizations greater flexibility in deploying the updated controls. There are currently suggested “best practices” listed in v4.0 that will become required after March 31, 2025.
PCI DSS 4.0 Requirement Summary
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organization policies and programs
Requirement 5.4: Anti-Phishing Mechanisms Protect Users Against Phishing Attacks
Focusing on requirement 5.4, currently listed as a recommended practice, a recent advisory was issued that places a greater degree of importance on anti-phishing. On May 2, 2024, the FBI, NSA, and U.S. Department of State issued a joint cybersecurity advisory on threat actors exploiting weak DMARC security policies to mask spear-phishing efforts.
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a critical email authentication protocol that helps prevent email spoofing and phishing attacks. Weak DMARC security practices can expose financial institutions to significant risks.
The DMARC framework allows domain owners to specify how email receivers should process messages from their domain. It works in conjunction with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify the authenticity of incoming emails.
Using an event invitation as an example, let’s review how each component fits into best practices for securing email.
- SPF: This is your approved guest list for an event. SPF checks the sender’s IP address to make sure only approved mail servers (i.e. invitees) are authorized to send emails on behalf of a domain.
- DKIM: DKIM is the wax seal on your envelope. It adds a digital signature to outgoing emails, ensuring their integrity. An unaltered seal ensures that no tampering has occurred.
- DMARC: You need a security guard at the event to greet arriving guests, check IDs, and ask to see their invitation. DMARC combines SPF and DKIM to guard against and process failed authentication. It confirms guests are who they say they are, that they’re on the approved guest list, and that their invitation has not been altered. The guard (DMARC) also provides details to the event host about which approved guests were admitted and which uninvited guests attempted to join the party.
Challenges of Weak DMARC Security in Financial Services
- Phishing Attacks: Weak DMARC policies allow attackers to impersonate legitimate financial institutions. They can send deceptive emails to customers, enticing them to reveal sensitive information, initiate a fraudulent wire transfer, or download malicious attachments.
- Brand Reputation Damage: Phishing attacks tarnish a bank’s reputation. Customers lose trust when they receive phishing emails that appear to come from their bank.
- Financial Loss: Successful phishing attacks can lead to financial losses for both customers and the institution.
- Data Breaches: Weak DMARC security may allow unauthorized access to customer data, leading to data breaches.
Solutions
By following the best practices detailed in requirement 5.4, you can reduce your cybersecurity risk and meet the requirement deadline of March 31, 2025. Get started today on:
- Implementing Strict DMARC Policies: Financial institutions should set their DMARC policies to “reject” (p=reject) to ensure that unauthorized emails are blocked.
- Monitoring DMARC Reports: Analyze DMARC reports to identify any anomalies or unauthorized senders.
- Educating Employees and Customers: Train employees to recognize phishing attempts and teach customers best practices to stay secure in emails.
- Implementing a Verified Mark Certificate (VMC): Prevent an attacker from using a lookalike domain. With a VMC, your registered logo appears in the avatar slot of your email, strengthening DMARC security and making it easier for consumers to differentiate your legitimate email from an attacker’s.
Weak DMARC security poses significant risks to financial services and can impact the outcomes of your PCI DSS 4.0 audits. By adopting secure DMARC best practices now, you can help mitigate fraud risk, safeguard sensitive data, and secure your customers’ trust. If you need assistance with a DMARC solution, you’ll find a list of service providers who can assist on our VMC product page.
Although the DMARC PCI DSS 4.0 requirement will not be mandatory until March 31, 2025, implementing the appropriate DMARC configuration for your domain now will move your organization one step closer to completing your PCI DSS 4.0 goals.