It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.
Exactly. The amount of risk that is introduced by putting your data into the cloud is infinitesimal compared to the risk that already exists in your network due to your company's cultural lack of top-down focus on security. If your CEO has domain admin privileges to the network and does not actively manage the active directory structure, you probably have more serious security issues to worry about.
I am a current security expert, working at a security-conscious company. So far, I haven't seen any hypervisor exploits, so the largest source of failure from hosting your business in the cloud probably rests on being unable to access data because of your ISP or network outages. Shop around by comparing SLAs.
When hypervisor exploits do become known (and they will), the PCI council will likely put the hypervisor into scope - they're waffly about it right now. As soon as that happens, kiss your PCI-compliant cloud goodbye - the third-party compatibility for security tools used for PCI compliance in the cloud are abysmal. It will become very difficult for any cloud-based application to live up to the PCI standards. That's your real risk.