PCI is crap.
"PCI compliance doesn't cost extra money/budget. Neither does it take longer to implement or more effort to maintain. To be PCI compliant all you have to do is follow best practices and stop being lazy with procedures and systems."
You've absolutely never ever done it before, have you? Next time you decide to talk shit, take a deep breath and pull your head out of your ass.
You have to pay a firm to become PCI compliant. And if you handle your website through a hosting company, they may have to make you compliant if you don't have an in-house team that can handle it. It becomes especially tricky if your site is being managed through a control panel, since there are tons of businesses that have them since there are TONS of tech-illiterate folks out there. And the hosting company will charge fees (likely) and take time.
Ask me how I know this. Go ahead, ask me. I used to work at a webhost, I've seen this far too often.
They go beyond "best practices". They check all kinds of asinine stuff. For example, if you run the Plesk CP, which listens on port 8443 (and uses a completely different HTTP daemon for the CP as compared to the one for serving web content, lighttpd vs. Apache), and the port is open, they'll detect an open port that has poor encryption even though it has 0 relevance to your site, and flunk you. And different firms will have different regulations. One of the customers at my last job had a firm that would give them things to fix every day, refusing to certify them until he finally told them enough was enough, certify or I go to the prosecutors. Some barely do anything, and will certify you on a whim.
PCI/DSS is utter garbage and does nothing to fix the problem.