As mentioned, privacy allows these verifications, but it is absolutely essential to authenticate the caller's need to know. This is often most easily accomplished by getting a confirmation of the transaction from the customer.
With debit card transactions, I get as much info as possible from the caller about the transaction (name, card number, billing address, shipping address, etc.) Basically all of the stuff the caller wants to verify. If nothing matches- I will tell them that the info doesn't match our records without telling them what is in our records. After all, if the merchant is calling because they suspect fraud, I believe I do my customer the most good by assisting the merchant in stopping the fraudulent transaction quickly.
If they give me info that matches (or a partial match) I do not confirm the match, but I offer to call the merchant back after I have completed my verification. Then, after calling the customer and getting a confirmation, I will return the call to the merchant with the appropriate answer.