PCI DSS v4.0 Now Requires DMARC: What Businesses Must Do

pci-dss-dmarc-requirement

PCI DSS v4.0 Now Requires DMARC: What Businesses Must Do

Email authentication used to be the domain of deliverability teams. Now it’s a compliance requirement. With PCI DSS v4.0, DMARC moved from best practice to formal mandate for any organization that handles credit card data — and the anti-phishing requirements that include it became fully enforceable in 2025, with all 2026 assessments conducted against the v4.0.1 standard.

If your business takes card payments, this affects you directly. Here’s what changed and how to meet it.

Why a payment standard cares about your email

At first glance, email authentication and card security seem unrelated. The link is phishing. Attackers impersonate trusted brands — especially those handling money — to trick customers and staff into handing over credentials and card details. DMARC is one of the most effective defenses against that impersonation, because it stops bad actors from spoofing your domain.

The Payment Card Industry Security Standards Council recognized that email-based fraud is a core threat to cardholder data, so PCI DSS v4.0 folded anti-phishing controls, including DMARC, into the standard. In an era of rising breaches, protecting your sending domain is now treated as part of protecting payment data.

What’s required, in plain terms

The specifics live in your assessment, but the practical shape of the requirement is straightforward:

  • Publish a DMARC record for domains that send email, at minimum establishing a policy and reporting.
  • Deploy the underlying authentication — SPF and DKIM — since DMARC relies on them to work.
  • Move toward enforcement. A monitoring-only p=none technically satisfies “having a record,” but the intent of an anti-phishing control is protection, which means progressing toward quarantine or reject. Industry best practice in 2026 already points at p=reject for full domain protection.
  • Maintain visibility. Aggregate reporting shows you every source sending as your domain, which is essential for both security and passing assessment.

Note this arrives alongside the broader mailbox-provider requirements. Gmail, Yahoo, and Microsoft already require DMARC for bulk senders, so many businesses now face the same requirement from two directions — their payment obligations and their deliverability needs.

How to get compliant: a practical path

  1. Inventory every sending source. Marketing platform, CRM, transactional relays, support desk, invoicing — list everything that sends as your domain.
  2. Publish SPF and DKIM for each legitimate source and confirm alignment with your From domain.
  3. Publish a DMARC record with a reporting address so you start collecting aggregate reports.
  4. Read the reports and fix gaps. Reports reveal unauthorized senders and misconfigured legitimate ones. Resolve both before tightening policy.
  5. Progress your policy from none toward quarantine and then reject as your reports confirm all legitimate mail is aligned.
  6. Document it for your assessment, and keep monitoring — compliance is ongoing, not a one-time checkbox.

Where clean data supports compliance and deliverability together

DMARC protects your domain from being impersonated. But the same infrastructure investment pays off twice: the authentication that satisfies PCI DSS is exactly what mailbox providers demand for inbox placement. Getting this right once serves both security and deliverability.

There’s a complementary piece worth naming. Authentication proves your mail is really yours; list hygiene proves your mail deserves to be delivered. For the transactional and marketing messages that flow from a payment-handling business — receipts, confirmations, statements, offers — sending to invalid or risky addresses drives bounces and complaints that erode the reputation your authentication is meant to protect. Verifying your list keeps those messages landing reliably, so both your compliance posture and your customer communications stay healthy.

Verify before you send

DMARC satisfies the compliance requirement; a clean list protects the reputation behind it. Clearalist verifies your contacts — removing invalid and risky addresses — so your receipts, statements, and campaigns keep reaching customers.

Start free — verify 1000 emails, no credit card required →

Frequently asked questions

Does PCI DSS really require DMARC? Yes. PCI DSS v4.0 added anti-phishing requirements that include DMARC. These became fully mandatory in 2025, and 2026 assessments run against the v4.0.1 standard.

Who has to comply? Organizations that store, process, or transmit cardholder data, along with the service providers that support them, fall under PCI DSS requirements.

Is p=none enough to comply? It may technically satisfy “having a DMARC record,” but the purpose of an anti-phishing control is protection. Best practice is to progress toward p=quarantine or p=reject.

Do I need SPF and DKIM too? Yes. DMARC depends on SPF and DKIM to authenticate mail and evaluate alignment. All three work together.

Does this overlap with Gmail and Yahoo’s requirements? It does. Major mailbox providers already require DMARC for bulk senders, so meeting PCI DSS often satisfies deliverability requirements at the same time.

This article is general information, not legal or compliance advice. Confirm your specific obligations with a qualified assessor.