We use OOB method. If a client states they can't use OOB, would we be able to have them sign a waiver stating they hold us blameless if their system is compromised?

Knowingly providing services in less than what is believed to be a secure environment would probably be a little hard to defend regardless of any such hold harmless agreement. That customer is either able to comply or cannot use the services is the only logical approach.

Read the PATCO decision or tune into this webinar. http://calendar.bollearningconnect.com/main.php?view=event&eventid=1341926976105

Banks are losing these suits as there are disputes over which system was compromised, was security adequate and now, was it reasonable.

A waiver isn't reasonable.