Sarbanes-Oxely attestations are signed by the CEO, yet the controls and compliance tests are performed and reported by lower-ranking employees. Having come from one of the largest and elite, reporting inaccuracies and glaring security gaps fell on deaf ears. This ultimately left card members (holders) at risk. Everyone at the top was more interested in their annual bonus, as opposed to being ethical and responsive to protection of the "general public at large". An external entity needs to perform the attestation of the "state of security" at these firms & companies as opposed to internal security practitioners and business heads. It is FAR too easy... to ink the paper and turn a blind eye. I recommend that credentialed security organizations or oversight sign those attestations independently, much like having an independent auditing firm attest to the financial records.