During the course of a current PFI investigation I was informed by a developer that the merchant's Magento 1 store was PCI compliant because the developer was listed on https://www.magentoassociation.org/commerce-co-op/full-article/magento-1-post-eol-resources-1 as providing patches for Magento 1.
Unfortunately, this does not represent a 'stay of execution' for Magento 1. PCI DSS requirement 6.2 states that merchants must 'Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches'. Security patches provided by a disparate group of third parties, who will have differing methodologies for identifying and remediating vulnerabilities, and will only provide these to 'their' customers, does not meet the requirement of PCI DSS.
The upshot is that merchant's cannot rely upon third party patches to the Magento 1 platform to maintain PCI compliance. It's past time to migrate.
Magento 1 Post-EOL Resources