If PCI folks are checking your site, you are probably doing credit card transactions or accepting or storing other sensitive information. In that case I would try to have the following security policy on my server:
Open 443 for the world (HTTPS protocol)
Open 22, only for your own IP(s) (SSH and SFTP)
All other ports closed
The problem is that other ports may be currently safe to open for a particular service, but you never know when a zero day exploit for that service is launched. Less ports open is less attack vectors.