Well, I guess it won't hurt if I offer my services for PCI guidance for startups here :-)
One thing to keep in mind is that PCI is a bare-minimum of security "best practices" that aims at validating that a company transacting with payment cards has an understanding of data classification and protection.
If compliance is bare minimum and not enough, what is a comprehensive approach available right now to reasonably protect our sensitive data? The security professionals will tell you Risk Assessments and Pentesting often is the best alternative [1]
Their answer is to specifically switch to Risk Assessment and PenTesting often, which is Requirement 11 and Requirement 12 of PCI. Each one of the bullets written is specifically covered by PCI DSS 3.1, including social engineering/phishing attacks that are provided through security awareness training. They're telling me that compliance is bare minimum, yet their suggestion is to do a subset of compliance. Its circular logic. Since its circular logic and nobody has been able to provide me with a reasonable approachable alternative to going above bare minimum, I claim that compliance is NOT bare minimum, but in fact, due diligence.
Think of a fort. Forts had defined compliance checklists in the old times. In a fort, you go through a security rotation of making sure the pot of boiling oil tips over on time. You practice your smoke signaling so that the appropriate people are notified in the event of a wall breach. Were they spending a majority of their security drills taking half their army, launching it against the fort, fixing what fails, and then doing a risk assessment?
The most comprehensive approach is to have an InfoSec policy portfolio which permeates into every corner of your organisation and dictates secure operating behaviours and mandates logical and physical security practices. This will include regular vulnerability scans on your code, your application stack and your infrastructure but it will also include instructions on how to classify data and how to handle data according to that classification.
Compliance is a achieved by marking a checklist which is why is fairly easy to botch it up. Sure you can do a subset of the checklist and have compensating controls for everything you've missed but the risk of non-compliance is not being able to do business (at best) and jail time (at worst) so you tell me what is your motivation to fail to meet the bare minimums of security best practices in card payment industry, aka, PCI-DSS.
Think of a castle; It will have several walls, towers, heavy doors, guards etc. It will also be placed in a hill, a mount or otherwise hard to access area (never in a vale for instance). It will also have the largest possible distance between the treasure hall and the front door. The threats your castle faces will continuously evolve, and the walls that stood up against bows and arrows are useless against turrets or cannons, so if you want to keep your treasure you do your best to be one step ahead and you don't get that by making sure your original walls are still in place or any other base requirements are still met.
One thing to keep in mind is that PCI is a bare-minimum of security "best practices" that aims at validating that a company transacting with payment cards has an understanding of data classification and protection.