Is there a way of using the firewall/VLAN component of a 2860 to ensure PCI compliance?

PCI covers loads now, its not about just hardening up the security on a firewall. Regardless of the firewall and VLANs if you only have 1 static IP address and the scan discovers open ports it will scan it.

For example
1 static external address and you have two or more VLANs behind it.
You might have an exchange severs or Webserver open on port 443. The scan will detect this and see SSL is open and you will fail o TLS 1.0 (for exchange0)
You also need to switch off the RC4 cyphers.

If you wont have or need open ports then just make the router stealth and block everything from untrust to trust and lock down the firewall management with an access list.

If you have a multiple IP subnet then stick the payment network on one of these and blocked everything from the WAN side in plus any inter vlan routing

There are too many different scenarios now and some require you to have internal kit now scanning the Lan for changes

But, specifically, the Vigor 2860 can bet set up in order that it is PCI compliant...but only so far as its own functions go. Other parts of your network, as the earlier reply said, have to be considered too.