It also doesn’t describe any of the why the additional security measures were put in place. It sounds arbitrary, but could be an insurance or regulatory requirement that the acquiring company needed to meet. Similar for the login issue, it’s suboptimal but what constraints caused that solution to be put in place? And why wasn’t it fixed?

Sans context there’s not a lot to complain about here.