[gist]

> unless you colocate your own stuff in a locked cage

How much is a locked cage really needed?

To me the risks are really someone messing with your cables and taking you off line, or accidentally pulling a power plug, which is QOS really. Not security. Can't remember when I heard of someone carting off a server or plugging in a cable to the console port (once they have gotten even into the racks and are on cameras) and doing any harm. Even if this does happen it seems fairly remote and not a concern unless you are really doing something so important that you need to lock up the servers. Sure price not being an object why not lock them up.

[panamafrank]

PCI compliance i think, also merchants wouldn't touch you with a barge pole if you don't have dedicated hardware... so no aws/gce.

[aroch]

Contemporary PCI compliance does not require dedicated hardware -- You can by PCI Level I compliant on DO, AWS and many other shared-infra providers.

Also, worth noting, since most places are integrating payments through, e.g., Stripe, the requirements on the gateway server are much lower.

[pfg]

You can definitely run PCI compliant infrastructure on services such as AWS. Stripe runs on AWS IIRC. Many (most?) AWS services are PCI compliant and using them won't prevent you from being PCI certified.