"Personally identifiable information will be processed and stored by Valve in databases hosted in the United States. Valve has taken reasonable steps to protect the information users share with us, including, but not limited to, setup of processes, equipment and software to avoid unauthorized access or disclosure of this information."This, vague as it is, does seem to generally meet the needs that something like PCI-DSS would call for, and therefore seems to show that they are taking proper steps to secure credit card and all other user data. Additionally, they allow payments through third-party vendors, like PayPal, which has well-established security measures as well.
But the more likely threat with a platform like Steam, is account phishing. Since someone's account holds all their game licenses, scammers are always looking for ways to steal someones info and hijack their account for their own use. One of the most notable measures against scamming comes built into the IM service. Whenever a chat window is opened, a reminder to "Never tell your password to anyone" with a link to an account security page comes up. This helps stop scammers who pose as Valve employees and ask for account details through the IM service. In addition, to change any account info, even an email address, one must verify their current email and retrieve an verification code that allows users to make the changes they desire. This measure helps the real user retrieve his account even if he loses his information, as it is likely that he will be the only one that can access his email (provided they have diversified passwords). Steam also allows a user to be signed in at one location at a time, which can be helpful in locking out a scammer if they have account details--though this is double-edged sword, as it could allow a scammer to lock out legitimate user. And lastly, if all else fails, steam has a support system which focuses heavily on account recovery. If one loses their account, the support team will work quickly on recovering it for the valid user (which can only be proved by credit card ownership or the serial of any boxed game owned), and will restore any damage done to accounts (fraudulant purchases, removals of currently owned games) so that the user can have their account as it was before hijacking.