3.5.2 Examine user access lists to verify that access to keys is restricted to the fewest number of custodians necessary.
There should be very few who have access to cryptographic keys (reducing the potential for rending cardholder data visible by unauthorized parties), usually only those who have key custodian responsibilities.