Someone needs to offer PCI compliant managed hosting with appropriate security auditing.
For instance firewall rules should be able to be seen by the end customer at ANY time and the customer should be able to have a third party test and audit all firewall rules and DNS rules that are supposed to be in effect without the knowledge of the managed hosting company and staff.
All touches on a server or network related to an ecommerce system or system with sensitive data including hardware, software and any network devices along the way should be logged and that log should be available to customers at any time upon request or possibly available at any time through a secure system.
Make sure customers are always up to date with latest VPN client software. My hosting company with highest industry uptime server rating was letting me run with out of date VPN software.