I signed up for a 12 month contract with my ISP in January using their secure web form to enter my credit (debit) card details to use for direct debit. It may be worth noting that the parent company of the ISP supplies our gas(?) and electricity.

Recently I lost my card and had a new one issued by the bank which means I need to update these details with my ISP to continue direct debit. There is no web form that I can use to update my direct debit details despite initially using one to sign up (parent company does however provide this option).

I have been told via email and over the phone that I either have to email my details or send via mail (but not registered mail), that they don't provide bpay and they can't do it over the phone as they won't have a written record (despite recording calls?). Everything I've learned tells me that sending CC details via email is a really bad idea and my bank advises against it. ISP has told me that it was part of the contract I signed although I looked through I couldn't find anything in the fine print.

My research on the ACMA website and business .gov .au hasn't found anything that quite addresses this. Are there any legal issues here with regards to the ISP not supplying a secure way to pay? Does the parent company providing these services/a web form available on initial signup create any precedent or expectation? Is there anything else I can do beyond filing a complaint with the TIO?