You didn’t sell the recovery tool, you sold the warm and fuzzy feeling that somebody was looking out for them.

Address, phone number, credit card and all.

Oh wow. As someone who used to work in Fintech and who built a PCI-DSS compliant system got it successfully certified, it would be a shame if somebody reported that company for violations that could get them to lose their PCI-DSS certification. I mean, do they just bribe their PCI-DSS auditor to overlook this, or have they just managed to hide this blatant issue so far?

Sounds like you escaped a violent theocratic cult.