Thanks for the links Daniel. Very helpful! BTW, we're in headquartered in Nova Scotia, and as per your link, we have stricter privacy laws than the rest of Canada. It even goes as far as provincial departments not cooperating with other provinces because their privacy laws are incompatible.
Additionally, at least in Canada, privacy-cautious organizations don't look too favorably on services that store data in US, in part due to the patriot act. We even have US clients who liked the fact their data would be stored in Canada ;O)
That might not be an issue: http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00508.html
> 2) To be PCI compliant
AWS is PCI compliant: http://aws.amazon.com/security/pci-dss-level-1-compliance-fa... and Rackspace might not be charging extra anymore.