It is very easy to setup a system in a corner (here, we'll install this piece of software, that will save us the 99$/month recurly subscription...) then forget about it until it is too late...

Some guidance would be very important, as well as mentioning ways to make it more secure, including tokenization, logging of CC numbers in server logs, knowing if the data transits through your server or not depending on provider, maybe even keep the software behind a a firewall without internet access, these can make a big difference in managing the risk.

As an open source project, you cannot be held responsible on what the people using the software is doing, but I think making sure that they understand that even if the software is free and easy to install and use, that additional work is required to make sure that the data is safe.

"logging of CC numbers in server logs" is an almost guaranteed way to make your setup not PCI compliant.

The PCI industry as a whole is missing a lot of this kind of guidance, in general. There's no "here's the minimum you need to do to be PCI Level X compliant". The reason is that the industry considers every situation to be different (I doubt most are all that different or if they are, 90% of them can fit into a handful of buckets), and you're supposed to hire PCI auditors to come in and certify you. Another reason there are no minimum guidelines is that PCI seems to be more about awareness than actual specific architecture. You can sidestep certain things as long as you document them and what your mitigating implementation is. This leads to...

Last time I went through a PCI setup, it was a unspoken spoken rule that if we hired an auditor that didn't certify us even though we thought we should be, we could hire a different auditor, and keep doing so until we got one we liked.