We were thinking of a separate partition, or a new Power 710,
then using DDM to access the data.
A separate partition and a new 710 are over-kill; you don't need to spend that much. And DDM will cause performance problems. Here's a good overview of PCI requirements:
And here is a detailed explanation of the intent of each requirement:
I would suggest using a pair of $100/each routers to establish a DMZ. Route HTTP traffic from the DMZ to an IBM i HTTP / HTTPS instance serving as a "reverse-proxy" and general web server, which in turn routes CGI or PHP (or whatever) I/O to a separate IBM i HTTP instance on a separate IP address and port. That type of configuration clearly meets both the "letter" and intent of numerous points in the standard, without extra server hardware.
If you want to get pedantic, you could run your HTTP / HTTPS reverse-proxy under Linux on commodity hardware in the DMZ.
Feel free to contact me off-line if you'd like help with such a configuration.