• by Ray Schultz , Columnist, March 28, 2025

We’re not trying to alarm you, but brands that process payments have little more than 48 hours to comply with the newest iteration of the Payment Card Data Security Standard.

The new version -- PCI DSS v4.0.1 -- takes effect on Monday. Among the biggest changes -- one that affects email senders -- is enhanced protections against phishing and email fraud, according to a new report from EasyDMARC: The State of PCI DSS v4.0.1 Compliance and Email Security in 2025.

This means they should have already implemented DMARC (Domain-based Message Authentication, Reporting, and Conformance), an email authentication defense against phishing and email fraud.   

Unfortunately, many businesses are not yet ready, or at least they weren’t in January, when EastDMARC surveyed 502 IT decision makers in the U.K., the U.S. and Australasia.

Of those polled, 62% had not yet implemented DMARC, which is also now required by Google, and Yahoo, the report states.

Although 72% felt they were on track for compliance, they clearly were not. 

This is no small matter: 64% of the respondents said they have experienced an increase in phishing attacks in the past year, and 25% have experienced a significant rise.  

Introduced in 2004, the original payment standard was designed to protect credit-card data and reduce fraud. The update introduces the email requirement.  

Of firms that process their own payments, 72% said they were ready, and. 27% expected to be ready by the deadline.  

At the same time, 40% said they’re very familiar with the mew DMARC requirement, and 38% have heard of it and were preparing to comply. But 20% either don’t know much about it or have never heard of it. 

Firms that use third-party payment providers seem to be ignoring the new regimen. Perhaps they feel it is not their responsibility. Only 19% said they were very familiar with it, while 62% had heard of it but didn’t know much. The remainder said they have never heard of it. 

And it follows that they were in the dark about the DMARC requirement — with 25% saying were definitely aware, and 49% saying they heard of it but didn’t know much, while 26% said they never heard of it.  

But they expected to be asked to self-certify that they are using anti-phishing technology, including DMARC: 44% think it is very likely, and 42% say it is somewhat so.  

As for DMARC in general, 38% have implemented it, while 48% expect to adopt it soon and 14% have no such plans.

What’ s holding the latter group up? For 39%, it was a lack of technical expertise or the feeling that it is too complex. And 36% are unaware of DMARC’s ability to reduce risks or face a lack of management buy-in. Moreover,11% feared that DMARC will cause email deliverability issues.  

That is doubtless why 61% are consulting external experts for help,, with 57% specifically seeking assistance with technical implementation and management, the report says. 

“Payment businesses handle vast amounts of sensitive data, making them prime targets for cyber threats,” says Gerasim Hovhannisyan, co-founder and CEO of EasyDMARC. “It’s critical they proactively strengthen email security now to avoid scrambling once an attack occurs or compliance deadlines are missed.” 

The firms surveyed included those in software/technology, financial services, retail, and e-commerce.