Kevin, Good points. From a pragmatic stance, there are very few folks that will review the AWS RoC and understand the details. Larger folks, and those with QSA's on retainer can do that (need to get a copy of the RoC first). Getting a copy of the RoC has not typically been an easy thing to do, unless you are a large customer. For those of us that are not in the multi-millions of $ range, we are usually left with what is publicly available, hence "off the list" or "willing to show you the internals" are the only option for 90% of the PCI community. I know Dell has a Public Cloud IaaS offering, and I am in hopes that you can set the stage for transparency at the IaaS CSP level. Until all the folks, not just the ones paying bank, can get access to the detailed info, we are where we are.