What is the intended outcome of Requirement 7.3 in PCI DSS?

• A. Security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
• B. All systems must be encrypted at rest.
• C. Regular vulnerability scans must be performed weekly.
• D. Access logs must be retained for one year.

Answer: (A)

Access control governance is the focus here: there must be formal, written policies and procedures that define who is allowed to access cardholder data, under what circumstances, and how those permissions are granted, reviewed, and revoked. The intended outcome is that these policies are not just documents but are actively used and understood by everyone affected—so access to cardholder data is consistently restricted to those with a legitimate business need. This ensures clear guidance, accountability, and enforceable controls across the organization.

This is distinct from encryption (which is about protecting data itself), regular vulnerability scanning, or log retention, which are addressed by other requirements.