I asked the CFPB this very question. If a member's account with a retailer is used for fraudulent purchases (the purchases show up on the member's purchase history), how can we be liable if the card number was never compromised? The fraudster can't get the card number to use elsewhere because it is either masked or tokenized within the merchant's "payment methods." We have this situation happen all the time anymore with food apps, Uber, food delivery, Amazon, Cash App, etc. We end up cancelling the card because we have no dispute rights if the card is active.
The CFPB responded that they are working on new FAQs. Which frightens me.
We follow our error resolution procedures and investigate/reimburse on these claims because the current FAQs make it pretty apparent that we are responsible for anything that may happen with a debit card. It makes "investigation" fairly easy - basically we are just here to give money back.