Which of the following is a PCI compliance requirement?

PCI compliance centers on protecting cardholder data, and encryption of that data both when stored and when transmitted is a fundamental control. Encrypting data at rest means that stored cardholder information is unreadable if breached, using strong algorithms and proper key management. Encrypting data in transit protects data as it moves across networks, typically with TLS, so interceptors can’t read it. Together, these protections minimize the risk of data exposure regardless of where the data resides or how it’s transmitted. The other options don’t align with PCI requirements: allowing weak passwords conflicts with the need for strong access controls, rotating staff on a fixed annual basis isn’t specified as a PCI rule, and ignoring encryption directly contradicts the standard’s emphasis on protecting cardholder data.