PCI stands for Payment Card Industry, and the usual standard people talk about is the Data Security Standard (DSS, or PCI-DSS). Google will yield a zillion and three hits, but as others have suggested it's really just a set of credit card security standards to follow. If you follow them and there is a problem, in theory the card company will hold you harmless--and pay you!--rather than holding you responsible and witholding payment. Another set of newer standards are called the EMV (Europay, Mastercard, Visa) standards (which, despite the name, I believe are also used by Amex). Like the PCI standards, the EMV ones are publicly available on the web.
Work with your bank to see *which* standards to follow and what your responsibilities are if you want the credit card companies to indemnify you; also, ask them if compliance is or will become mandatory to continue to accept credit card payments. Or, take the risk and do what you're been doing as long as your bank continues to process the card payments. But if they stop, catching up will probably be a bit more time consuming than being ahead of the curve so you can take your time implementing whatever it is you might have to do.
This is not really complicated once you understand the intent, even if the language is sometimes kind of dense--it's feeds and speeds kind of stuff, not microinch tolerance kind of stuff.
Both sets of standards probably have a much larger effect on software development companies (like the one I retired from) than on merchants who accept credit card payments infrequently, but YMMV.