Does a CatchConnect Account Retain CC Details after 90 Days Expiry?

I don't mind if the account is still there, but do the CC details still remain after the number has gone into quarantine? I just saw someone noted that the account stays active even after ported out or if the 90 days are over.

If so, doesn't this just open up a security issue? It just seems like it could be a ticking timebomb even though one's password is usually some random string of letters and numbers consisting of 12+ characters.

It may also be a compliance issue, a company shouldn't be retaining CC details of quarantined services. It wouldn't be PCI compliant, but there is no evidence CatchConnect are in the first place.

Related Stores

Catch Connect
Catch Connect


  • Why do you need to provide your credit/debit card details to Catch Connect again? Catch Connect has moved to a new payment gateway provider (that is, the company that processes your payments for your Catch Connect service). As a security measure, the old payment gateway provider only stored your credit/ debit card details on an encrypted token. This token, and the information stored on it, has now been destroyed. As such, Catch Connect need your assistance in providing these details again to continue your service.

    • I think that suggests there was some breach. Otherwise it wouldn't be destroyed, unless it is some annual thing that is supposed to happen.

      In which case, I'm still wondering how things will work into the future. Maybe some more information about how they have worked in the past might help… I've only been with Catch for a few months.

      I looked in another thread and it states someone asked to remove the phone number from their account but then the account with no attached numbers was still active and able to be logged into. I think the CC details are connected to the account rather than a phone number, but I might be wrong.

      Or is there more to the story, in that because of some compliance issue that Catchconnect was kicked off or something… Thus terminating contract led to the need to destroy the token…

      The fact that an inactive account remains after there are no services is suspicious.

      • +1

        Not at all. The payment token would only be valid for that specific payment processor. There are plenty of reasons to move payment processors e.g. lower fees, more frequent payouts, better card acceptance etc.

        But the token from the previous processor is only valid to process transactions with that processor. CatchConnect need your card details again to create a new token for use with the new processor. The way the process works is card details are provided to credit card processor, credit card processor takes care of storing the CC details and provides CatchConnect with a token that only they can use to charge the card. CatchConnect never sees or has access to your actual card details.

        • Yeah that's a good explanation.

  • it stays on your account i believe

  • Catch Connect accepts Prepaid Coles MasterCard (Maybe Visa One too). You can pay by it or update to a zero balance Prepaid card later.

  • I don't think I've articulated what I am trying to achieve here.

    Okay, so there will be some ozbargainers that have created dummy accounts for catchconnect. Since those accounts should expire after some time and be destroyed (which they aren't apparently). Is there a possibility that someone might be able to login to those dormant accounts in the future and add a service?

    I don't care if they don't remove the account from their backend, but should they be allowing someone to login to something dormant. If they needed to recreate it once a service became active, then that should be happening and relinked to their backend.

    I don't really think it affects me. Furthermore, the fact that the CC details are stored, and who is storing it is actually not that important now I come to think about it. It's the ability to login to that dormant account which is an issue and with that comes the possibility to create a new service. Albeit they could have just negated it by not allowing logins or just removing the CC details like other providers do. Either works.

    I've decided not to poke too much into it, but I do think there is some room for them to improve their service.

    The other thing is if you put the dummy accounts in the spotlight. Is it possible that someone might end up in a position where a random account gets recharged that is dormant? How would they know which account it is? It's also going to be a pain for Catchconnect staff to find out more details even if you provide the card number and so on. I see some posts about 20+ accounts.

    I know I keep records of everything until the account disappears and check and change passwords annually, but not everyone else does.

    • If I remember it clearly, according to T&Cs, the number will be put into quarantine after 180 days without recharge. This is pretty standard practice with a telco. Thus, it'll exist in your account for a while.

      You over worry too much. No hacker is interested in a Catch Connect account.

      Why not update your CC to a dummy one? I updated it to a zero balance prepaid card. I can image it'll accept an online generated one too.

  • +1

    I have probably activated 20 or more sim starter packages using the one account. Couldn't see the need for multiple accounts and easy enough to keep track of a single account.

    • I think is the way to go, hopefully nothing weird happens. Only have two accounts at the moment because of this, may end up closing one after I get the cashbacks and merging to one default one that would be more manageable.

      Currently activating over 5 a month on koganmobile. I don't know if that affects whether one account is suitable or not on catch.

Login or Join to leave a comment