Security, and therefore Compliance, in the cloud is a shared responsibility. In other words, no IaaS or PaaS cloud vendor can provide complete compliance since the cloud providers’ responsibilities end at the hypervisor. You, the application provider, are responsible for securing the VM and the applications/data therein.
In the case of an IaaS cloud provider who may achieve compliance from the “concrete to the hypervisor,” (let’s use PCI again,) the customer in turn must have the contents of the virtual machine (OS, Applications, operations, controls, etc.) independently assessed and meet PCI compliance in order that the entire stack of in-scope elements can be described as compliant.
Thus security — and more specifically compliance — in IaaS (and PaaS) is a shared responsibility.