I am an IT auditor working for a company that You would call if You would want to be certified.
Certification means that there is a work (audit) programme that states control objectives. Auditor follows this programme very closely and then, if the issues are within some zone of tolerance (which may be zero as well), auditor writes a statement that company XYZ is compliant with this and that.
What it does NOT mean is:
a) a certified company will follow its practice after certification (they may just have put a convincing show).
b) that there are no other issues with the company that are outside of work programme
c) that sysadmin will be dilligent in future to apply timely patches
A PCI-DSS compliance says "There are no critical issues on the surface". That's it.
Fast, cheap, good: pick two.