[tomg]

Oh I don't doubt you. I'm not an expert on this, heck, I wasn't even allowed on to the actual servers (because of said compliance). I don't know the guidelines for login pages or what kind of security third party JS libs are supposed to have (also PCI is not a law, afaik).

What I'm asserting is that the servers that store the actual banking and customer data have very high security standards. It's one thing to store front end website code on a VPS, it's a totally other thing to store your database with customer & bank data on Linode.

The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense?