Yes I know its the merchant that has to meet the PCI-directives. "PCI Data Security Standard Compliance". There are a bunch of directives about the operating environment (firewall, virus protection (!), encrypted access etc), but also directives about coding standards, third party source reviews, need to know access rights for backend users.

https://www.pcisecuritystandards.org/documents/PCI SSC Quick Reference Guide.pdf

PCI-complience are needed to integrate with som of the more advanced payment services (and use VISA/Mastercard/Amex etc)