They could send an email to the owner of the account asking to reauthenticate the card (re-enter the numbers & CVV, go through 3D-Secure or provide a picture of the card or bank statement).
This would mitigate incidents like this - as far as I’m aware the attacker doesn’t actually have the card number, so giving them 24 hours to confirm it (or the card gets removed after that) would be a good solution while remaining only a minor inconvenience for legitimate usage (realistically speaking, how many online stores who might have your card number are malicious enough to call companies and try to get your accounts shut down, with no benefit to themselves?)
This would mitigate incidents like this - as far as I’m aware the attacker doesn’t actually have the card number, so giving them 24 hours to confirm it (or the card gets removed after that) would be a good solution while remaining only a minor inconvenience for legitimate usage (realistically speaking, how many online stores who might have your card number are malicious enough to call companies and try to get your accounts shut down, with no benefit to themselves?)