Thats how it works in India. All authorized repeating charges ("mandates") are listed on a portal maintained by the card issuer. you can go in anytime and simply cancel the mandate from there. This is mandatory under banking regulations.

Credit cards are also required to be "tokenized" when stored at a merchant or payment aggregator - the user authorizes the bank to allow the merchant or the aggregator to "store" the card details for use later, and the bank then issues a card token, tied to the specific merchant/aggregator. They are not allowed to store the original card info at all - just this token. This makes the token not worth stealing, as it can be only used by that merchant, and is trivial to de-auth if needed, with or without merchant cooperation.