If your server is directly connected to Internet, you will fail PCI-DSS compliance. You need at least to put a proxy between internet and your server.
IMO, the best way to accomplish this, is to hold credit card data on a separate server (this server will only store data, not more), not connected to internet (no route to internet gateway).
Server <--> Intermediate API server to retrieve Credit card data in a safe way <--> Webserver
This way, only the intermediate server is allowed to acces credit card data. Credit card server and intermediate server do NOT have access to internet. Obviously Credit Card server and intermediate server should communicate on a private LAN. The only point here, is how you authenticate Webserver with intermediate server. You have plenty of solutions.
For the debian part, following the security update is enough for PCI DSS.