Certainly Brujo.
In sshd_config, I removed the line: Subsystem sftp /usr/libexec/openssh/sftp-server
and replaced it with: Subsystem sftp internal-sftp
Then I added the following rules to sshd_config, one for each user:
Match User username
ChrootDirectory /var/www/vhosts
AllowTCPForwarding no
I tried to be more specific with the ChrootDirectory, the server supports several domains, however that configuration did not work. So unfortunately, this method allows users to see all the directories in /vhosts. But, the user can only access that directory in which that user has permissions. So, internal security is maintained.
This solution is not ideal, but trustwave did approve my dispute allowing us to pass the PCI tests based on the actions listed above.