[lxgr]

Banks usually have a mechanism to prevent automatic billing/card data updates for exactly that reason for suspected/confirmed fraudulent used cards, but unfortunately not all of them, and I suspect even for those that do, not all customer service reps know how to do that.

In an ideal world, all merchants would be using tokenization already – then the bank could offer you a UI where you can just kick out the merchants you don't want to have access to your payment credentials anymore before reordering a new card. (If tokens were mandatory, like they are e.g. in India, you wouldn't even need to reorder the card in the first place, but that'll probably never happen in the US – too many legacy systems.)