Which statement about application IDs in database access is correct?

• A. Application IDs Can Be Used By Individuals To Query The Database
• B. Application IDs Must Be Used By The Application And Not By Individual Users
• C. Application IDs Are Not Required For Database Access
• D. Application IDs Should Be Disabled For All Applications

Answer: (B)

Using a dedicated application account for database access, rather than giving individual users direct credentials, is how you keep access secure and auditable. When the application holds the credentials, you can enforce the exact permissions the app needs, and every database action can be attributed to the application, not to a person. This supports strong authentication, centralized logging, and the principle of least privilege, all of which PCI DSS emphasizes for protecting cardholder data. Allowing individuals to use application IDs would blur accountability and make it harder to enforce controls, while saying credentials aren’t required or that IDs should be disabled would undermine the ability to securely manage access.