Which of the following is a mandatory requirement in PCI DSS compliance?

Using firewalls to protect cardholder data is a fundamental requirement within PCI DSS compliance. Firewalls serve as a critical security measure that helps to establish a barrier between secure internal networks and untrusted external networks, such as the internet. By implementing firewalls, organizations can prevent unauthorized access to cardholder data while enabling safe data transmission between networks.

This requirement aligns with the PCI DSS goal of maintaining a secure network environment and protects sensitive cardholder information from potential threats. Firewalls are part of a broader strategy to create a secure network architecture following best practices, which ultimately safeguards against data breaches and unauthorized disclosures.

In contrast, other options listed do not align with PCI DSS compliance requirements. For example, storing cardholder information indefinitely is contrary to PCI DSS principles, which encourages retaining data only as long as necessary for legal, regulatory, or business requirements. Disabling user accounts after inactivity is a recommended best practice for security but is not explicitly mandated, and allowing shared passwords undermines security by reducing accountability and increasing vulnerability to unauthorized access.