PCI, as a part of their guidance on PCI DSS, provides specific guidance on best practices. The basis of PCI best practice guidance states that security controls be implemented into business-as-usual (BAU). This is similar to the concept of data protection by default and design from GDPR Article 25.
The best practices are broken down into 6 recommendations, which at a high level are best practices for any information security management system (ISMS).
In addition, PCI recommends that organizations implement separation of duties. The concept ensures that there are independent checks on work. The engineers that implement encryption should not also act as the auditor to verify encryption.
Additionally, though not explicitly included in PCI best practice guidance, segmenting networks so that cardholder data (CHD) is isolated from other networks is a way to reduce the scope of a PCI assessment and the risk to cardholder data. Defining the scope is the first step of a PCI assessment. Segmenting your network limits the scope of your PCI assessments and reduces the risk to CHD.
Not all entities, based on size and PCI level, need to be validated for each of these best practices.
Though the requirements themselves go into great detail, PCI DSS at a high level is focused on following best practices for security.