From the Amazon Web Services blog, a relevant snippet:
"Until recently, it was unthinkable to even consider the possibility of attaining PCI compliance within a virtualized, multi-tenant environment. PCI DSS version 2.0, the newest version of DSS published in late October 2010, did provide guidance for dealing with virtualization but did not provide any guidance around multi-tenant environments. However, even without multi-tenancy guidance, we were able to work with our PCI assessor to document our security management processes, PCI controls, and compensating controls to show how our core services effectively and securely segregate each AWS customer within their own protected environment. Our PCI assessor found our security and architecture conformed with the new PCI standard and verified our compliance."
Security is always one of the first objections raised when discussing moving important apps with regulated data to a cloud provider. Its been my opinion for a while that cloud providers will be in position to offer best-in-class security solutions sooner or later. First, the business model cries out for it - cloud providers can attract more applications, and more significant applications, if they can address security requirements. Second - cloud providers will be in good position to address security by leveraging scarce security expertise across all their hosted applications. I expect providers like Google, Amazon, Rackspace, etc... can attract and retain excellent security professionals to make sure thior infrastructure is buttoned up tight. Or as tight as is feasible. Not to say there won't be breaches, there will be, but they should be able to do the job right. We might have to pay a few extra dollars of course.