Ah. So in that case, NPM is not learning a new card number, and probably isn't even aware of anything at all, given that the card issuer is simply accepting transactions (instead of declining them as this person expected) on the old card number.
NPM was in the wrong for continuing to place unwanted transactions, but they were not actively participating in this "follow" scheme so the blame stops short of that.
The way the update services is work is that you send them the card type, card number, and expiration date of a card you have on file, and they respond typically with one of these four responses:
1. Still good.
2. The account is closed.
3. The card is still good but has a new expiration date, which is YYMM.
4. The account has a new card. The card number is XXXXXXXXXXXXXXXX and the expiration date is YYMM.
Oh, ok. Still doesn't feel right blaming the merchant for utilizing #4 in exactly the intended manner.
The existence of #4 seems odd though. If someone just wanted different card perks they could do a "product change" which I believe retains the same number anyway, so a new number should only occur if the old number was reported stolen, in which case why provide the new number to the potential thief?
The update service is only available to merchants, and even then I believe there is extra vetting beyond simply being allowed to accept credit card payments. The intersection of that set and the set of credit card thieves is small.
For a typical user who has their card stolen it will go something like this. Fraudulent charges start appearing on their card, which is when they realize their card number has been stolen. The bank issues them a new card, makes sure the fraudulent charges get refunded, and invalidates the old card so the thieves won't be able to put new charges on it.
Without the updater service the user would have to deal with contacting every place they have subscriptions and update their on file card to avoid having their services disrupted.
With the updater service many or most of those will update automatically.
If the thieves used the card to buy some subscriptions, and those are from merchants who are able to use the update services, then those services may get the new number so the user might have to contact them to cancel.
For most people in that case though the number of subscriptions they legitimately have will be much less than the number of subscriptions that the credit card thieves purchased on the user's stolen card.
NPM was in the wrong for continuing to place unwanted transactions, but they were not actively participating in this "follow" scheme so the blame stops short of that.