Which practice describes protecting cardholder data in a counter environment?

Limiting access to cardholder data to only those who need it is the key principle being tested. When access is restricted, only authorized personnel can view or handle the data, applying the least-privilege concept to reduce exposure and risk. This approach directly protects sensitive information and supports compliance with security standards that govern how card data should be handled. Publicly displaying full card numbers creates an immediate and obvious risk, since anyone can see the data. Sharing access to all card records ignores the need-to-know principle and increases the chance of misuse or leakage. Storing card data in plaintext means that, if a breach occurs, the data is readily readable, which is why data should be protected with proper encryption or tokenization.