Answer to example question #3:
Question: Your company has decided to start selling products through your website, accepting payment by credit and debit cards. You will do this in an public cloud setting and your staff will administer the servers' operating systems and applications. A secure tunnel connects your cloud server to the payment processing firm. Your staff must install client-side certificates on your VMs so they can automatically authenticate into the payment processor. All purchase records will be stored in your virtual private cloud, in object storage protected by encryption. (except, of course, not the CVV) The payment processor returns values which you store in the purchase records to support any later refunds. What do you need?
"Your staff will administer the servers' operating systems and applications" means IaaS.
"a secure tunnel" means TLS.
"client-side certificates" means X.509v3.
"encryption" could be AES-CBC.
"except not the CVV" is PCI-DSS.
"the payment processor returns values" is tokenization.
They're all needed to make this happen. The question text is mostly narration and description, must have is the only verb expressing a requirement. And, it seems like everything else is already in place, or at least you're ready to simply get started. However, the certificates still need to be created and installed.
About client certificates — your web site is the server to the customer on their client system. But once they decide to buy something, your system has to connect, as a client, to the transaction processor functioning as a server.
Your IaaS machine is a server to the customer, and a client to the transaction processor, at the same time.