Thanks, Cristian. I have done a bit more research on this. PCI compliance seems to be the elephant in the room — at least in for small businesses that want to outsource hosting of ecommerce sites.
I found this discussion to be helpful:
http://www.sitepoint.com/forums/showthread.php?807314-Rackspace-Customers-cannot-host-shopping-carts-on-the-cloud
Rackspace CloudSites doesn’t allow the PCI scans.
Godaddy doesn’t either. They are pushing you to their shopping cart or to dedicated hardware: http://support.godaddy.com/groups/web-hosting/forum/topic/pci-compliance/ (The link is a bit old, but I think the situation is still the same.)
I went to FireHost and tried to configure a PCI compliant hosting option on their website, but that resulted in a solution that costs more that $800/month.
Also, regarding Paypal Advanced, on the service main page, the rollover for “Simplify PCI Compliance” says, “With this solution, the only remaining requirements are a greatly simplified Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans.” — This does not simplify things at all.
Currently, I am waiting for a quote from Rackspace for a PCI compliant solution. I expect this will be expensive.
I can only assume that most small businesses hosting ecommerce sites are just ignoring this issue, which is causing the major hosts to ignore this issue as well, or push the “honest” small businesses toward expensive solutions.
I did have one small stroke of luck — it appears that Amazon Web Services is PCI Compliant, which means that theoretically, I could host WordPress on EC2 and successfully pass the scans…I think.