Its a good question, and I’d love to hear some authoritative answers – either from someone directly representing the PCI-DSS or at least a QSA with access to PCI members.

My unauthoritative answer would be that the webserver that hosts the iframe would be in scope for PCI, and you’d be classed as a service provider. This is based on my interpretation of the PCI standard, where the glossary states:

Service Provider Business entity that is not a payment card brand
member or a merchant directly
involved in the processing, storage,
transmission, and switching or
transaction data and cardholder
information or both (*1). This also
includes companies that provide
services to merchants, services
providers or members that control or
could impact the security of
cardholder data (*2). Examples include
managed service providers that
provide managed firewalls, IDS and
other services as well as hosting
providers and other entities.
Entities such as telecommunications
companies that only provide
communication links without access to
the application layer of the
communication link are excluded (*3)

*1. You’re clearly not a payment card brand (such as Visa), neither are you a merchant (to whom you’re providing this service)
*2. This is pretty clearly your role, as providing a service
*3. Unfortunately, I dont think you meet this exclusion, as you have access to application layer data.

The good news is that the approach you’ve taken is probably the best you can do to minimise your headaches.

Ideally then you’d segment this server so that access to a wider (internal) network is very restricted. Ensure that the only ‘application’ the webserver provides is this iframe (ie, dont run any other webpages from the server). Ensure that the logging that the server/iframe/etc generate doesnt contain any card related data

Unfortunately I belive it does mean that a QSA needs to be involved, as you are processing web transactions.