Most phone service providers (and others) that accept payments initiated as debit/credit card or direct debit (ACH) transactions offer one-time authorizations or recurring authorizations. There is usually a clear differentiation between the two in the screens on which the customer (or his accommodating friend) provides the card or account information to be used for the payment(s).
It's possible your cardholder mistakenly provided an authorization for recurring payments. If that's what your are able to confirm when contacting the phone service provider, you can deny the claim and advise your cardholder to cancel the authorization as soon as possible. It's also possible your cardholder provided information for a one-time payment, and the phone company saved that info (payment information on file), and his buddy took advantage of the situation to get a second month of service paid for by your customer. Here, you can fall back on the exception to the definition of "Unauthorized EFT" in § 1005.2(m) of Reg E that involves giving the access device to a third party with authority to use it, and not contacting the bank to cancel the authorization when the access device isn't returned to the cardholder's control.
In either event, you can assist the cardholder by cancelling the card and issuing a new one.
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8