Which statement best describes 'Implement Strong Access Control Measures' in PCI DSS?

The statement that 'Only authorized users should be granted access' accurately encapsulates the principle of implementing strong access control measures in the context of PCI DSS. This principle emphasizes the importance of restricting access to sensitive cardholder data exclusively to individuals who have been properly vetted and are deemed authorized based on their roles and responsibilities.

By ensuring that access is limited to authorized personnel, organizations can significantly mitigate the risks of data breaches and unauthorized information exposure. This aligns with the broader goals of PCI DSS, which aim to protect cardholder data and maintain the integrity and confidentiality of payment card transactions.

In contrast, the other statements do not fulfill the requirements of strong access control measures. Allowing all staff to access cardholder data jeopardizes data security by exposing sensitive information to potentially untrained or unscrutinized individuals. Limiting access only during business hours is insufficient because unauthorized users might still gain access during that time, and access control being optional for convenience undermines the very essence of security, which necessitates rigidity and strict adherence to access policies to protect against unauthorized access.