The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry-mandated requirements that apply to any business that handles, processes, or stores credit cards, regardless of the business's size or location.
With a payment processing API served through Kong, depending on your setup, you should consider the following scenarios:
Proxying Payment Data: Falls under the criterion of "processing".
Logging & Analytics: A logging plugin might store credit card data on disk or a remote location (given your API configuration), this would trigger the "storage" criterion.
You will still need to complete an annual Self-Assessment Questionnaire (SAQ) in order to be PCI compliant. There are several different types of SAQs, and a Qualified Security Assessor (QSA) can help you choose the right one for your business and achieve compliance.