Oh dear, indeed. Why not offer the option to make an account directly? That would offer at least some solace that your data is not being shared outside the walls of 8x8.
because AAA is a cost, and now we have some of the A provided externally, its a lower cost to say "validate over here" than it is to roll your own. Cost including doing it right, meeting KYC/AML/Age barriers which incur legal risk, and having to front on your community and say "sorry, we lost all your private data in a hack"
remind me, do people roll their own CC handling or does the PCI rules drive you to ... using another intermediary in card processing, because of the giant risks?
Dealing with PCI means you basically have to rely on the payment processor to store the card and customer data. Intermediaries like Square and Stripe require this and make it easy. It's been a long time since I built anything that spoke directly to a card gateway (i.e. merchant bank) but I'd be pretty shocked if any didn't force you to use their iframe/storage/token solution at this point. Back in the late 90s, e-commerce sites used to just take the customer card numbers in plaintext and pass them to the VeriSign gateway and basically roll their own APIs.
