Nothing to hide
So why 3 different names? Changing the name of your company with every new project is not the general behaviour of an above-board business.
To pick just one thing from the entire article:
"Because of a peculiarity of the tokenisation, numbers three digits or shorter aren't collected anyway, they're too short so there's no numbers at all."
So, their tokeniser has a "peculiarity" which stops them tokenizing any string of digits less then 4 digits in length? And we are supposed to place faith in their code? If they cannot even tokenise strings properly, how are we supposed to take their word that this is secure?
They then want us all to believe that because their tokeniser cannot handle the number 123 that there are no numbers collected. If their tokeniser can handle the number 123456, then it is collected. In a badly designed e-commerce system, a site owner using BT/virgin as their ISP will be putting 16-20 digit numbers into the phorm systems while reviewing orders. Either the ISP or phorm just processed the personal credit card data of a 3rd party who has no contract with either. Whether they discard the information or not, they processed it.
Another thing that may be worth considering is where copyright law stands on this. Although infosoc specifically exempts transmission in a network, what they are doing is creating a second copy outside of the transmission and then processing it for commercial purposes. I don't know whether that is legal or not, but it'd be interesting to find out.