[Sreyanth]

I know they do pull it out to a separate band but many VoIP providers log the DTMF sent as digits to debug things - most evident in IVR use cases.

So, if attackers wants to get card details, they need not attack the business or Twilio (because it might redact these when they see <Pay>, but they can simply access logs of the middlemen for DTMFs. Concatenate all those per call, and there we should have all card numbers, expiry dates and CVC/4DBC.

Not sure how Twilio is doing it though. Unless they use some awesome encryption method to encrypt all these numbers so no one in middle can see them.