Requirement 7 of PCI DSS mandates what kind of access control?

The requirement for access control under Requirement 7 of PCI DSS is centered around the principle of least privilege, which dictates that individuals should only have access to the information and systems necessary to perform their job functions. This means that access should be restricted based on the business need to know, ensuring sensitive data is safeguarded and minimizing the risk of unauthorized access.

Implementing access controls based on business necessity not only helps protect cardholder data but also aligns with compliance requirements where specific roles and functions must be identified to limit exposure to potentially sensitive information. This approach minimizes the attack surface for potential breaches, enhances accountability, and ensures that access to sensitive data is managed systematically.

In contrast, options like open access to all staff would create significant security risks, allowing any employee to access sensitive information without justification. Similarly, default access for vendors does not consider the specific needs of each vendor, which can lead to unnecessary exposure of sensitive data. Lastly, access based solely on seniority does not take into account the specific job functions or responsibilities of individuals, potentially giving individuals access to information that is not relevant to their roles. Thus, the best choice is indeed access restricted by business need to know, as it prioritizes security and compliance with PCI DSS standards.