What happened
Consumer group Which? published an investigation into what it calls a "cancelled card loophole": when a bank issues a replacement card due to suspected fraud, the Automatic Billing Updater (ABU) service operated by Visa and Mastercard pushes the new card credentials to any merchant or digital wallet that has the old card on file.
The problem: if a fraudster previously stored a victim's card details with a retailer or in a digital wallet, ABU may update those stored credentials to the victim's replacement card number. The fraudster's stored entry now points to a live, valid card — without the victim knowing.
Even more alarmingly, customers are most often powerless to opt out of this update, leaving them at the mercy of their bank's fraud policy.
Banks named in the investigation include HSBC UK, Lloyds Banking Group, Nationwide Building Society, and Starling. Which? found that practices vary: some banks allow customers to opt out of ABU, others do not.
Why it matters
ABU is the backbone of how subscription businesses keep cards current without customer action. When a card is renewed or replaced, ABU pushes the new credentials to every merchant with the card on file, eliminating the most common cause of involuntary churn: an expired card triggering a failed renewal. The service runs at the card network level, not the merchant level.
What the Which? investigation clarifies is that ABU does not distinguish between a legitimate subscription and a fraudulently stored card. It is a credential-forwarding service, and it forwards to everyone. That is a net positive for subscription businesses holding card-on-file legitimately; it is a problem for fraud victims whose cards have been stored without consent.
What this means for subscription operators
The lesson is not to fear ABU — the churn prevention it provides is real. The lesson is to understand what it is and is not doing in your billing stack.
ABU is still worth running
It catches the single biggest cause of involuntary churn (expired and replaced cards) without customer action. The fraud risk sits with the bank and network, not the merchant.
ABU is not a recovery system
It handles renewals of existing credentials. It does nothing for insufficient funds, hard declines, or cards flagged for other reasons. Those still need a follow-up sequence.
Watch for unusual post-update patterns
An unusual rate of ABU-updated cards declining immediately after update can be an early signal that compromised credentials are present in your billing system.
Your liability is limited
As the payee, you are not responsible for the fraud recovery; that sits with the issuing bank. Your job is to ensure you only retain card-on-file for customers who authorized it.
The bottom line
ABU is a net positive for subscription billing, and the Which? investigation does not change that calculus. What it does clarify: ABU is infrastructure that forwards credentials, and your recovery work sits on top of it, not inside it. Keep using ABU to prevent the expired-card version of involuntary churn. Build the recovery layer to catch everything it misses.
Sources