What is the default behavior of the access control system in terms of allowing access?

• A. Access is denied by default and only explicitly allowed access is granted.
• B. Access is allowed by default and denied only when flagged.
• C. Access is allowed based on IP address only.
• D. Access is granted during business hours only.

Answer: (A)

Access control should start with a deny-all stance: access is blocked unless there is an explicit permission granting it. This means every access attempt is checked against defined allow rules, and if no rule approves it, access is denied. This approach minimizes risk by ensuring nothing is usable unless specifically authorized, which is a core practice in PCI—restricting access to system components to those with a legitimate business need and requiring proper authentication and authorization. The other patterns—allowing access by default, or granting access only based on IP or business hours—do not provide the same robust protection because they either assume trust without explicit approval or rely on simplistic criteria that can be bypassed or misused.