PCI-DSS can be tough but it is also very specifically scoped and so if done well you can keep it very limited. From the way the article describes Itch (1 person + some part time help - which isn't totally ideal for PCI either), it absolutely could overwhelm them, but Valve are certainly a big enough organisation to handle it just fine - assuming, of course, they they wanted to.