Before granting access to system components or cardholder data, what must be done?

Allowing access only after assigning a unique user ID to each person ensures every action can be attributed to a specific individual. This accountability is essential for monitoring, auditing, and enforcing least-privilege access to system components and cardholder data. Without unique IDs, you can’t reliably know who did what, which hinders incident response and traceability. While strong authentication is important, PCI DSS does not require universal two-factor authentication for every access—it targets certain scenarios like remote or highly privileged access. Relying on role names alone or approving access verbally without records fails to provide the auditable trail and governance needed for secure access control. Therefore, giving every user a unique ID before granting access best meets the requirement for accountable, traceable access.