This is too much like scifi fantasy!
CardSystems tries to blame someone who is not even there to defend themselves!
Thanks Dwaine for the following follow up on it:
And while they were at it, they also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.
Interesting times indeed…the case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems’ Security consultants they thought they were auditing discrete parts of the payment processing network for compliance with VISA’s standards. CardSystems, on the other hand, apparently thought they were purchasing “hacker insurance” and a guarantee that they would never be subject to attack.
Bold emphasis mine.
More info and link to the original article at Dwaine’s site (link above).