[SyneRyder]

It's up to the company, but since many companies don't want to keep card numbers around (and some processors don't let you see the card number anyway), they're probably more likely to block on identity. Maybe flag the IP address of the transaction for "additional screening" on all future transactions, etc.

[master_crab]

IPs are notoriously unreliable for identity pinning, particularly in this age of CGNAT.

If they can’t or don’t want cc numbers (makes sense considering how painful PCI guidelines are anyway) does that mean they need to rely on more tools from the processors or user accounts maintained by the merchant themselves?

[nubinetwork]

CC numbers are also bound to get recycled eventually as cards expire and/or get replaced... even if you block a card, it might have a new owner 6 months or so later.

[ValentineC]

The number space between the first 6 digits (BIN) and the Luhn check digit is 9 digits — that's 1 billion numbers that issuers can give out before a collision happens.

[Marsymars]

That doesn't seem to be more than an order of magnitude off between available numbers and issued cards - a cursory search says there are over a billion credit cards in circulation in the US alone.

[ValentineC]

I think you're confusing the available number space per BIN (often used for a single card product) with the number of available numbers per network.

Visa and Mastercard each have 14 digits worth of permutations to play with, excluding the first and last digits. That's one hundred trillion numbers.

Assuming 8 billion people in the world, each person can hold 12,500 of either Visa or Mastercard before a collision happens. (As above, the number space is smaller because of how BINs are issued, but that's still plenty.)