PCI-DSS compliance isn't optional. If you accept cards, you must be compliant. The easiest way is to offload card handling to your payment processor (using Elements or Hosted Fields) so sensitive data never touches your server.