Restricting Database Access
PCI DSS Requirement 7.2 specifies that access to cardholder data, including databases, must be
restricted by business need-to-know.
Restricting access to programmatic methods minimizes the risk of unauthorized queries and data
breaches.
Eliminating Direct Access
Direct database access by end-users or administrators poses significant risk unless strictly controlled
and monitored. Programmatic methods (e.g., via applications with role-based access controls) align
with security best practices.
Incorrect Options
Option B: Administrators might need access, but access should not be limited to system/network
administrators.
Option C: Application IDs should not be used directly by individuals, as this circumvents
accountability.
Option D: Shared accounts are discouraged due to a lack of traceability.
