Which requirement restricts inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic?

In firewall practice, the essential idea is to allow only traffic that is necessary for the cardholder data environment and deny everything else by default. This default-deny posture minimizes the attack surface by ensuring that no unnecessary access can reach or leave the CDE, and only explicitly approved communications are permitted. This principle directly matches the statement about restricting inbound and outbound traffic to what is needed for the CDE and denying all other traffic, which is a foundational PCI DSS approach to firewall configuration. The other options describe important, related controls (such as wireless segmentation, preventing direct Internet exposure, or blocking unauthorized outbound traffic) but they do not express the broad, default-deny rule governing both directions of traffic into and out of the CDE.