Having been through this in the past without any clear guidance at the time, this post and the comments are highly valuable to anyone struggling with these issues. For me, the Cloud Provider and their true degree of compliance was key. The lesson- assume nothing, do the research as mentioned. Also, there is always the option of calling the payment provider directly - outside of your system - so the compliance issues are almost entirely thiers at that point. Thanks for writing this and I will make it part of my library on PCI DSS compliance with Cloud Providers.