Went to update payment info, showed me some random person’s credit card info (opens in new tab)

Credit cards are never secure by default. It is best to assume that the number will be stolen eventually.

Should not this incident involve PCI in some way?

I saw something very similar to this happen once in a system (many moons ago, before my current role). Hopelessly incompetent software developers put the session cookie in a static field of one of the Java classes responsible for the login process, and if two users logged in at the exact same moment (and their requests happened to be served by the same node of the app server cluster), one of them would be given the other's session cookie. So A and B would both log in at the same time, and there was a chance that B would get logged into A's account details instead of their own.

Somehow, all through QA testing, nobody noticed it (or if they did, they didn't report it). At just about the last possible minute before go-live, somebody observed it happen. Then there was a mad rush to patch the bug in the middle of the go-live weekend so the go-live stayed on schedule.

Yikes.

This is part of the reason why I prefer to never let any services/apps/etc. save my bank/card details. If there’s not an option to save the card details that I can uncheck, 9x out of 10, I reconsider the transaction.

The assumption here though is that the services/apps/etc. that do provide the option actually respect it; in other words, unless you use fake/virtual card details (not entirely reliable, in my experience), you can’t be 100% sure that you’re safe either way, which sucks.

Cross wiring user data is always a bad bug. Especially when it has to deal with payments and credit card data. I hope this is a very rare thing and they find the cause quickly. Could be in user authentication, the payment card tokens, or one of any numbers of things. My bet would be on Auth.