PCI DSS v4.0 2025
We are currently four months away from March 31, 2025, the compliance deadline for the Payment Card Industry Data Security Standard (PCI DSS) v4.0 best practice requirements. After that date all organizations must comply with the new 51 PCI DSS v4.0 requirements that have been considered best practices since 2024. One of the updates is to implement processes and automated mechanisms to detect and protect personnel against phishing attacks. The PCI DSS’s Guidance information for this requirement (5.4.1) explains that this can be implemented through a combination of approaches. Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
What is DMARC?
DMARC provides a framework for email authentication that helps validate the legitimacy of emails sent from a domain. It works in conjunction with SPF and DKIM authentication to verify email authenticity, prevent email spoofing, stop phishing attacks, and provide domain owners with control over how unauthenticated messages are handled by receiving servers. SPF is used to authenticate the sender and ensure that only authorized servers can send emails from your domain, and DKIM is used to verify that messages haven’t been tampered with in transit. DMARC allows domain owners to specify how emails that fail SPF and/or DKIM checks should be handled. These verifications are all important because unvalidated domains frequently serve as a foundation for phishing attacks, which continue to be the primary delivery mechanisms for many other types of attacks. Here is a summary of the benefits of DMARC:
- Prevents email spoofing and phishing attacks by allowing domain owners to specify how to handle unauthenticated emails
- Enhances email deliverability by ensuring only authenticated messages are received
- Protects brand reputation by blocking malicious emails that appear to come from a company’s domain
- Allows domain owners to set policies on how receiving servers should handle emails that fail authentication checks
Recent DMARC Targeted Attacks
The US government has issued a warning that Kimsuky, a North Korean hacking group, is exploiting poorly configured DMARC email security settings to mask their spear phishing campaigns. According to a joint alert from the FBI, NSA, and State Department, these weak DMARC policies enable Kimsuky to impersonate credible academics, journalists, and East Asian affairs experts through email spoofing. An example of a weak policy is when DMARC policies are set to “none” which only monitors and logs threats without actively blocking them.
The group uses a two-phase email strategy. In the first phase, they distribute emails masquerading as communications from reputable organizations to build trust. Once trust is gained, they follow up with emails containing malicious payloads, such as infected attachments or links to phishing sites.
Library of Congress Attacked
Although it is not known if the attack was due to DMARC vulnerabilities, a foreign adversary successfully accessed the contents of email communications between congressional legislative staffers and staff of the Library of Congress’s Congressional Research Service. The attack occurred between January and September of this year. The breach exposed months of sensitive correspondence, including confidential legislative proposals. In November, the Library’s Communications Director confirmed the incident, stating that the exploited vulnerability had been addressed and measures implemented to prevent future occurrences. This incident serves as a clear illustration of the need for email security and highlights its ongoing vulnerabilities.
How HALOCK Can Help
DMARC is one of many security measures that can now be considered as are a part of one’s duty of care. This concept refers to the responsibility of organizations to take reasonable steps to prevent harm to others. In cybersecurity, it involves implementing appropriate measures to protect sensitive data and systems. HALOCK Security Labs can conduct a Duty of Care Risk Analysis (DoCRA) that evaluates risks while balancing your organization’s needs with those of potential breach victims. Our PCI DSS compliance Qualified Security Assessors (QSA)s can help educate your organization on PCI DSS, help you identify and optimize your compliance scope, assess your compliance baseline, provide counselling and advisory support during remediation efforts as well as providing validation services for the Payment Card Industry Data Security Standard. Contact us to review your security posture and ensure regulatory compliance.