Sending Logs, Alerts, and Telemetry Through a Data Diode

Find Out How
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.

How Deep CDR™ Technology and Metascan™ Multiscanning Address PCI DSS Security Requirements

By OPSWAT
Share this Post

A payment processor's security team flags a PDF attachment for review. It comes from a known vendor, it scans clean against every signature in the antivirus database, and it gets delivered to the finance inbox without a second look. Inside that PDF is a payload built specifically to avoid detection: no known signature, no flagged behavior, nothing the antivirus engine has ever been trained to catch. By the time anyone notices, the file has already done its job.

This is not hypothetical. Embedded macros, OLE objects, JavaScript inside PDFs, and obfuscated scripts in Office files are standard delivery vectors in attacks against financial services. And the file formats attackers favor (PDF, Excel, Word) are the same formats that move cardholder data through a payment environment every day. Reports, statements, account applications, and vendor correspondence all travel as files, which means every one of those formats is also a potential entry point into the cardholder data environment.

If you've mapped Requirement 5 of PCI DSS 4.0.1 as "covered" because antivirus is deployed across your endpoints, it's worth asking what that coverage actually accounts for. Antivirus and EDR (Endpoint Detection and Response) are strong, necessary tools. They're also built around a specific assumption: that a threat has to be recognized to be stopped. Our first blog in this series looked at where PCI DSS 4.0.1 raises the bar on malware protection generally. This post goes one layer deeper into a specific gap: how file-borne threats slip past antivirus by design, and what closes that gap for a payment environment.

What Antivirus Actually Does, and Where it Stops

Antivirus and EDR are good at what they were built for: recognizing threats that have already been identified. Signature-based detection compares a file against a database of known malware. Behavioral detection in EDR watches for patterns consistent with prior attacks. Both approaches depend on having seen something similar before.

That dependency is also the limitation. A zero-day payload has no signature to match. A file engineered to evade static analysis, through obfuscation, encryption, or structural manipulation, can pass inspection without triggering a single alert. Attackers know exactly how detection-based tools work, which is why so much of the modern attack surface is built around evading them rather than overpowering them. None of this means antivirus and EDR are doing their job poorly. It means they're being asked to do a job that, by definition, can't cover threats no one has catalogued yet.

File-Based Threats in the Cardholder Data Environment

This matters specifically for the CDE (cardholder data environment). Cardholder data doesn't move through network channels alone. It moves through files: reports, statements, transaction logs, vendor correspondence. When a malicious file enters that environment undetected, the result isn't just a missed malware alert. It's a breach of the boundary PCI DSS requires organizations to control. A file that passes AV because its payload is unrecognized is still a file inside the CDE carrying that payload. The scan result doesn't change what's in the file.

What Deep CDR™ Technology Does Instead

Instead of asking whether a file is malicious, Deep CDR™ Technology assumes any file could be and treats it accordingly. The process breaks a file down to its component parts, strips anything capable of carrying executable content or active threats (macros, embedded scripts, OLE objects), and rebuilds a clean, fully functional version in the original format. That reconstruction runs recursively, too: an archive nested inside another archive, or a document with an embedded file of its own, gets sanitized at every layer, not just the outermost one. Learn about Deep CDR™ Technology performance.

The distinction is the mechanism, not the marketing. Detection-based tools try to identify the threat. Deep CDR™ Technology removes what the threat would need to function, regardless of whether it's been identified yet. A zero-day exploit and a known piece of malware get the same treatment, because the tool isn't trying to recognize either one. It's removing the delivery mechanism altogether. The output is a file that opens, displays, and functions the way the original did, minus the components that could carry an active threat. Independent testing backs that up: Deep CDR™ Technology was the first CDR solution to achieve 100% Protection and Accuracy in SE Labs's Standalone CDR Test.

For PCI DSS purposes, what matters is what this means for Requirement 5—Protect all systems against malware and update anti-virus software or programs regularly: a control that addresses the specific class of threats signature-based detection is structurally unable to catch, applied at the moment a file enters the environment rather than after the fact.

How Metascan Multiscanning and Deep CDR™ Technology Map to PCI DSS 4.0.1

PCI DSS 4.0.1 doesn't ask for one type of malware control. It asks for layered coverage that addresses both known and unknown threats. A single tool, no matter how well it performs at its specific job, can't satisfy that on its own. That's where pairing detection with prevention becomes relevant to specific requirements.

Requirement 1: Install and Maintain Network Security Controls

Requirement 1 exists to keep risk from devices that touch both untrusted networks and the CDE from spreading into it. Multiscanning and Deep CDR™ Technology support that goal directly: layered anti-malware coverage across network traffic, email, endpoints, and removable media closes off multiple entry points at once, while combined multiscanning and CDR ensure that files and data crossing the boundary between untrusted networks and the CDE arrive sanitized and free of malicious content, regardless of which channel they came through.

Requirement 5: Protect All Systems and Networks from Malicious Software

At the requirement level, Metascan Multiscanning (30+ antivirus engines) and Deep CDR™ Technology (which reconstructs files into safe formats to neutralize zero-day and embedded threats) are the two headline capabilities carrying this requirement end to end. Together they cover both halves of the anti-malware mandate: Advanced File-Borne Threat Detection for 5.2/5.2.1, where every file is processed through Deep CDR™ Technology and Metascan Multiscanning before it's allowed into a protected environment; layered scanning for 5.3.2, where multiscanning, sandboxing, and content disarm and reconstruction are the recommended supporting controls; and Attachment-Based Phishing Detection for 5.4, where MetaDefender Email Security combines Metascan Multiscanning and sandbox analysis to catch malicious attachments before they reach a user.

  • Requirement 5.2 (malware prevention and detection). This is where the two technologies do distinct, complementary work. Metascan Multiscanning runs files through more than thirty commercial antivirus engines, giving known-threat detection a depth that no single engine can match on its own — and because those engines pair signatures with heuristics and machine learning, Metascan also catches a meaningful share of unknown malware, putting its overall detection rate at 99.2% of known and unknown threats combined. Deep CDR™ Technology handles the sliver of threats scanning misses and prevents zero-day exploits. Together, known threats get caught and the threats scanning alone would let through lose their delivery mechanism before they're ever a problem.
  • Requirement 5.3.2 (real-time or periodic scanning). Deep CDR™ Technology operates inline, at the point of ingestion. Every file is processed as it enters the environment, not on a scheduled sweep. That satisfies the real-time inspection expectation across web traffic, email, and file transfer channels simultaneously, rather than relying on periodic scans to catch what got through in between.
  • Requirement 5.4 (anti-phishing mechanisms).MetaDefender Email Security™ combines Metascan Multiscanning and sandbox analysis to catch malicious or suspicious attachments before they reach an inbox, while MetaDefender Aether™ adds dynamic analysis of suspicious attachments in a controlled environment to catch zero-day or obfuscated payloads that evade signature-based scanning. MetaDefender NDR™ extends that visibility to the network layer, flagging suspicious connections and payload delivery tied to phishing campaigns.

Requirement 6: Develop and Maintain Secure Systems and Software

Requirement 6.3 (vulnerability identification). Files carrying exploits aimed at known software vulnerabilities are a file-level risk, not just a network-level one. Because Deep CDR™ Technology removes the exploit delivery mechanism before a file reaches a user or system, it addresses this risk at the point where it would otherwise enter, independent of whether the underlying vulnerability has been patched yet.

Curious how this maps against your own PCI DSS scope? Get the PCI DSS Compliance Guide for a closer look at where Metascan Multiscanning and Deep CDR™ Technology technologies fit.

Where Multiscanning and CDR Fit in the Stack

The value of this layered approach depends on where it's deployed. Coverage that exists only at the endpoint leaves the rest of the file's journey unprotected, and cardholder data crosses the CDE boundary through more channels than most compliance matrices account for. For a payment environment, the highest-value points are the ones where files routinely cross that boundary.

  • Web application security: Applications that receive cardholder data are also a path for malicious files and zero-day threats to enter the CDE through uploads or file-based interactions.
  • Email gateway: Attachments are sanitized before delivery, which eliminates weaponized Office documents and malicious PDFs, the most common delivery format for spearphishing in financial services.
  • Web proxy / ICAP: HTTP and HTTPS traffic is inspected in real time, and files downloaded from the internet are reconstructed before they reach internal systems.
  • Removable media: Files from USB devices are sanitized at the kiosk before entering the CDE. This addresses Requirement 5.3.3 directly and closes off removable media as an attack vector.
  • Managed file transfer: Files exchanged with partners and vendors are sanitized in transit, not only at the point of receipt.

OPSWAT's MetaDefender™ Platform applies Metascan Multiscanning and Deep CDR™ Technology consistently across these points, along with Proactive DLP™ Technology and other capabilities, so coverage doesn't depend on which channel a file happens to come through. It also doesn't depend on which format a file arrives in: Deep CDR™ Technology covers more than 200 file types, from the PDFs, spreadsheets, and Word documents that dominate payment workflows to the images, archives, and other formats that cross the CDE boundary in practice.

Known or Novel, the Outcome is the Same

Go back to the PDF from the opening of this piece. Nothing about it was hypothetical, and nothing about it required poor execution on anyone's part. The vendor was legitimate, the scan came back clean, and the file was delivered exactly as intended. That's the scenario Requirement 5 exists to prevent, and it's also the scenario a mapping built on antivirus alone can't fully account for.

Deep CDR™ Technology rebuilds files without the components that could be dangerous, so the question of whether the payload was known or novel never has to get answered in the first place. Metascan Multiscanning does the equivalent for anything that does carry a signature. Between the two, a file reaching the finance inbox is either a threat that got caught or a threat that lost the parts of itself it needed to work — never a threat that simply wasn't recognized yet.

Takeaways

  • Payment data moves through business files — reports, statements, vendor correspondence — that a network security review doesn't cover.
  • Coverage extends to both known and unknown threats: 30+ antivirus engines detect known malware, and Deep CDR™ Technology removes the components a zero-day would need to run, without needing to identify the threat first.
  • This aligns to specific PCI DSS requirements (5.2, 5.3.2, 5.4, 1.5/1.5.1, 11.5/11.5.1), with centralized logging that shows the control is running when an assessor checks.

Want to see exactly where Deep CDR™ Technology and Multiscanning map against the full PCI DSS 4.0.1 requirement set? Download the PCI DSS Compliance Guide and Checklist for a detailed control-by-control breakdown.

Stay Up-to-Date With OPSWAT!

Sign up today to receive the latest company updates, stories, event info, and more.