I don’t store credit cards but I do process them in my magento 2 website, i.e. I do not re-direct customers off to a third-party page at the checkout page.
I contacted the Indian company that developed the credit card processing extension that works with my credit processor. Not surprisingly they don’t have a good answer for me about PCI compliance of their extension.
I’ve taken a look at the PCI compliance document and feel a little daunted by the 80 pages of detailed questions and tests.
I’m going to hand this to my lead developer to sort out but I’m a little afraid of the number of dev hours this is going to cost me.