PCI Compliance for developers accessing a production database for support


As a developer, when an Incident comes in and reaches Tier 3 support (The development team), how can the developers get access to query the Production Database, while remaining PCI Compliant? I’m admittedly a newbie when it comes to PCI Compliance. Is this just a case of Read-Only accounts? Is this a case of data masking? Is this a case of having a Production copy within Production so devs can’t hit a "Live" db? What’s the easiest, and compliant way for developers to be able to perform application incident support in production?