Having done a fair few PCI DSS compliance reviews over the last 15 years, I've come to the firm conclusion that the whole point of it is to try and offload the responsibility on to the payment provider (i.e. use their code / servers etc) - not try and do it yourself. Some pretty clever stuff being done these days, with field level iframes etc, to make it entirely transparent to the user.
The PCI standard might have worked in 2004 - but doesn't work in 2020, when using API driven services, fronted by cloud load balancers etc. (Have you ever tried to get a VA scan through Akamai ? ...)
Get down to the basic SAQ-A, and it ends up with "do you have some InfoSec policies", and "Do you sack people" - job done.
Biting the hand that feeds IT
