[PCI DSS 3.0] 7.1 Limit access to system components and cardholder data to only those individuals whose job requir

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

7.1 Examine written policy for access control, and verify that the policy incorporates 7.1.1 through 7.1.4 as follows:
• Defining access needs and privilege assignments for each role
• Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities
• Assignment of access based on individual personnel’s job classification and function
• Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.

The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice.