Organizations That Deal With Cardholder Information Must Adopt DMARC
Penalties for non-compliance range as high as $100,000.
If your business handles cardholder data or processes payments, take note: You must implement DMARC by March 31, 2025. Failure to do so could result in penalties as high as $100,000.
Why implement DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol built with the purpose of blocking email spoofing. Spoofing occurs when a bad actors impersonates a trusted source, usually by sending emails from a legitimate address, and tricks a victim into divulging sensitive or important information—especially authentication information. Bad actors can then use that information to break into victim’s accounts, and, from there, their organizations’ networks.
Spoofing and phishing schemes are on the rise: According to The Hacker News, over 94% of organizations were caught in phishing scams in 2024. Artificial intelligence has supercharged this practice, making it easier than ever to launch these scams. In fact, AI phishing schemes increased by over 51% over the past few years.
By implementing DMARC, recipients are protected from these types of scams. All organizations should likely be using DMARC, but going forward, the next wave of organizations that must use it are those that deal with cardholder information and payment processing, as this data is particularly sensitive.
There are six types of organizations that must comply with these new rules:
- Organizations dealing with cardholder data
- Service providers
- Organizations storing or sending cardholder data
- System components or individuals
- Indirectly connected systems
- Businesses of all sizes
Organizations that do not comply risk penalties of anywhere from $5,000 to $100,000.
Share This
