The PCI question is one that unfortunately cannot be answered so easily.
The background is that a payment provider must fulfil certain security standards to be considered “secure” (PCI-DSS = Payment Card Industry Security Standard). One of these requirements is that the patches are offered by a “vendor”. However, it is not explained whether the vendor must be the original vendor and what happens if the original vendor no longer exists.
We therefore assume that for this PCI DSS certification it is important that the shop is patched in case of a security vulnerability and that these patches are provided by a professional vendor.
The last answer we got from the PayPal support was (translated from German):
"Mage One can from our point of view be an interim solution if a migration is not possible until 30th of June 2020.
Patches provided by Mage One will surely help to satisfy the data protection standard of the credit card industry, but using Mage One service does not imply, that we can guarantee that you comply with these standards."
The problem with PCI is, that you can only comply with PCI on an instance level, that means that you need to ask you local Qualified Security Assessor to certify your merchant’s store.
To support you here, we provide a PDF in the customer account of https://my.mage-one.com, which you can submit to the QSA.
If your payment provider claims that they will no longer support Magento 1 shops, the following alternatives are available so far:
I hope this makes everything a bit more understandable. If there are still questions, feel free to ask us: firstname.lastname@example.org