alt Hacker Newsit's called automatic billing updaters.
like
Visa: Visa Account Updater (VAU) https://developer.visa.com/capabilities/vau Mastercard: Automatic Billing Updater (ABU)
it worked fine for sometime, but the problem is that now the stolen credentials are being refreshed now as well.
Ideally, the issuer is able to investigate what type of fraud exactly happened on the card, and in case of a suspected compromised card number they can choose to simply not perform account updates or carry over tokens to the new card.
Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc.