[kalleboo]

> So, we're supposed to trust the application's main process to accept a credit card securely, but not trust their system which tracks UX?

Correct. The payment code is usually gone over with a comb for PCI compliance (or completely outsourced to someone like Stripe), whereas the UX tracking is much less so. It's also a common enough issue that stuff like credit cards or API codes end up leaking into logs.

[kbenson]

PCI compliance covers all aspects of credit card numbers and how they are collected, transmitted and stored. There's no reason to believe a company you can't trust to either not grab it or transmit it or store it for UX metrics non-compliantly will take care to do so in a compliant manner otherwise for normal operations. Either they take care with important data or they don't, and for this measurement "assume it's taken care of because they offload it to some other company" doesn't really count as taking care and absolve them of the responsibility, as I'm sure a lot of developers convince themselves it does.

That said, my point isn't necessarily that you should trust apps gathering UX metrics more, but that you should probably trust all apps quite a bit less, whether they track user actions or not.