Inactive accounts should be removed or disabled after how many days?

The correct timeframe for removing or disabling inactive accounts, as specified by the PCI DSS, is typically set at 90 days. This period is intended to limit the potential exposure and risk associated with accounts that have not been actively used. Accounts that remain inactive for this duration are considered a security vulnerability, as they could be exploited by malicious actors if left unmonitored.

By disabling or removing these accounts after 90 days, organizations can enhance their overall security posture and reduce the number of potential entry points for unauthorized access. This practice is closely aligned with best practices in security management and helps maintain the integrity of sensitive data within the organization.

The other options are either shorter or longer than the recommended period, which may not align with the guidance provided in the PCI DSS requirements regarding account management and security.