Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

The scenario that meets PCI DSS requirements for restricting access to databases containing cardholder data is where user access to the database is only through programmatic methods. This approach significantly enhances security by ensuring that users interact with the database strictly through secure applications or services that enforce specific access control measures and auditing procedures. By limiting database access to programmatic methods, it reduces the risk of unauthorized access and potential exploitation by removing the option for users to directly interact with the database environment.

In this context, programmatic access typically involves the use of API calls or other secure mechanisms which can be monitored and managed to ensure compliance with data protection practices. This method allows for strict logging and control, ensuring that only authenticated and authorized processes can interact with cardholder data.

The other scenarios, while they incorporate aspects of access control, do not align as effectively with PCI DSS practices aimed at minimizing direct access. For example, restricting access to only system and network administrators or using shared accounts can still pose risks of unauthorized access or inadequate logging of activities. The use of application IDs solely for database administrators, although it adds a layer of security, does not necessarily prevent direct human access, which PCI DSS guidelines seek to limit.