Some of the non DBA workers (DEV, Fraud, analysts ... ) in my organization need direct access to databases to write their own queries.
...
PCI DSS requirement 8.7 stats "Only database administrators have the ability to directly access or query databases"
The usual way of handling this is to create a scrubbed version of the database, with PAN data and other sensitive data, removed or replaced. This scrubbed database is then outside of PCI scope, and can be directly queried by the people you describe.
(The Fraud people may need access to PAN data for their jobs... but they don't get to use free-form queries for that, you write an application which provides access to the data in the real database they need through pre-formed queries).
For developers and analysts, the scrubbed version should be sufficient to their needs.
You may wish to also consider the question of PII. Data science analysts need access to that level of detail; developers may not. That's outside DSS requirements, however.
There are a couple of drawbacks to this method:
- Depending on the size of the source database, scrubbing may be expensive in time and resources.
- The table indexes, which derive from the cardinality of the data, will be altered when you remove or replace indexed columns (such as PAN), meaning that performance measurements against the "scrubbed" database will not be 1:1 equivalent to the "real" database.