Guide

What PCI DSS 4.0 means for your email

If your business takes card payments, the latest version of the PCI security standard now expects you to protect your email against impersonation. Here is what that means in plain terms, without the jargon.

The short version

PCI DSS is the security standard that any business handling card payments has to follow. Version 4.0 is the current one, and its requirements became mandatory in March 2025.

One of the things it now expects is that you protect your domain against email spoofing, so attackers cannot send phishing emails that look like they come from you. The standard points to anti-phishing controls, and email authentication (SPF, DKIM and DMARC) is the practical way most businesses meet that expectation.

In practice this means:

Your domain should have a working DMARC policy that tells receiving mail servers to reject or quarantine email that fails authentication, so nobody can impersonate your business by email.

Why card-handling businesses are a target

If you take payments, your customers already trust emails that appear to come from you about orders, receipts and account changes. That trust is exactly what attackers abuse. A spoofed email from your domain asking a customer to "confirm payment details" is far more convincing than a random scam, which is why payment-related businesses are targeted more often.

Protecting your domain removes that option from attackers, and it is also what an assessor will look for when they check your compliance.

What you actually need

An SPF record that lists who is allowed to send email for your domain.
DKIM signing, so your real email carries a verifiable signature.
A DMARC policy set to actively block or quarantine anything that fails, not just watch.
Ongoing monitoring, because every new tool you connect can change who sends email for you and quietly break the setup.

The last point is the one most businesses miss. Getting to a protected state once is not enough on its own. As your business adds tools and senders, the configuration has to be kept correct, and an assessor will want to see that it still holds at the time they check.

Not sure where your domain stands?

Send us your domain and we will send back a free one-page report showing your current setup and what PCI 4.0 expects. No call needed.

Get your free report →

Where to read more:
PCI Security Standards Council — official source for the standard and its requirements: pcisecuritystandards.org

// This page is a plain-language summary for general information. It is not legal or compliance advice. Your exact obligations depend on how you handle card data and which PCI requirements apply to you. Always confirm your specific scope with your acquirer or a qualified assessor.