They've clearly omitted the line “the private key was stored securely on a separate system which was not compromised” after the statement about card data and RSA. I'd go as far as to suggest that was deliberate.