Can you point to the bit in the PCI spec that says that? My understanding is that people should only have access to the systems they require. But that doesn't stop a developer having access to a continuous deployment server that can push code that meets requirements to production. But that's based on my memories, and may not reflect reality.