Ideally, the issuer is able to investigate what type of fraud exactly happened on the card, and in case of a suspected compromised card number they can choose to simply not perform account updates or carry over tokens to the new card.

Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc.

I discovered this "quirk" when the local ice rink started charging me for dozens of charges — I was watching them come in. There were two "child2 thechao"s (insert crazy common name); and ... they just picked one and started charging. They didn't want to reverse the charges because the mom of child2 didn't want to pay.

Indeed, I suspect that's what went on here. I don't think there even exist 99 providers of what's customary called a digital wallet (e.g. Apple/Google Pay), and there's no definitely no single person that uses 99 of them.

It's bad service from GP's card company though, with network tokens they should be able to see which specific token was abused, and revoke just that one.

Interesting. I recently cancelled and reordered a card and I have still been able to make purchases via Amazon without ever making an update. In this case I am happy about it because I am lazy but had no idea how it was working. Presume this is what is going on.

Account Updater functionality isn't necessarily even involved there. In the end whether to accept a transaction is up to the issuer, and quite often they'll keep accepting recurring transactions on otherwise outdated card information.

Funny, the Amex on my Pixel Watch stopped working only a couple weeks after the physical card expiry.

It was quite confusing, because a) I received a replacement physical card several months before the card expiry, so by the time my watch stopped working I'd entirely forgotten about it, b) there's no indication anywhere in the Android/Wear OS of what the expiry date is or that it might be expired and c) there's no indication at the point of sale that the virtual card is expired, simply a generic "Declined" message.

You can run a charge with only the card number if you have sufficient trust. Each additional piece you add reduces liability and transaction fees (add exp, add cvc, add 3ds, ...)

Wallets usually don't store the card information directly anyway, but only a token, which can be re-associated with new underlying card details when the card is replaced.

The token itself does also have an expiry date (it's a mandatory field in most protocols), but that can be updated as well, I believe.

That's very much contrary to my experience just a couple months ago that I detailed in another post: https://news.ycombinator.com/item?id=47981956