I investigated the PCI compliance process for my small non-profit a few months back. At this point, the PCI compliance process is a sham. It is neigh impossible for any small business to comply with the PCI certification process, using a PCI compliant datacenter or not.
What it comes down to is that the credit card industry is trying to can the beast that has been growing the past 30 years. The PCI compliance process is meant to force businesses to use major credit card processors to process any credit card transaction, making sure any credit card information is never in the end-merchant's hands (or computers).
The way the PayPal PayflowPro process works, is that your customer places an order on your website, then they are forwarded to PayPal's payment webpage (customized to your liking) to actually enter the payment, then the gateway sends back an 'OK' to your site, saying that the payment was processed.
This differs from what happened in the past, which is they would enter the credit card information on your site, then you passed that information to a merchant gateway, which then gave your site the OK. There are other merchant processors that do this same thing, such as authorize.net and Google Payments.
This change means that your website, and hosted server, does not need to be PCI compliant since credit card information never passes through it. Hopefully this doesn't come across as a rant, but the way they have been implementing PCI and 'scaring' customers with PCI compliance, and charging fees along the way, has been a joke.
You'll find plenty of companies willing to sell you PCI compliance services (even on this website) but in my opinion it is merely snakeoil.
Yes, disabling SSL 2.0 will ensure that IIS only uses SSL 3.0 or TLS 1.0. You can also disable individual cipher alogithms to ensure that SSL3/TLS only use the "best" alogrithms available well, although this is not really a practical issue if you select "require 128-bit encryption" from the GUI in the IIS SSL configuration. All of the >128-bit algorithms in SSL3 and TLS are "strong", have no practical breaks, and unless you have very specific regulatory requirements can be used safely.
See http://support.microsoft.com/kb/187498 for details.
Best Answer
Frameworks that are used are not the issue, it the applications that are built on the framework. So essentially PCI is framework - rails in this case - agnostic.
Just make sure you code a secure app using rails and you will be fine.