Without filing a chargeback to obtain information about the authorizations (e.g. IP address / email address that you could tie to her computer provide evidence that she authorized the transactions) all you have is circumstantial evidence which most examiners (and auditors) would consider inaquate to deny a claim.
Reg E gives the consumer the right to request copies of the documents you relied on to deny a claim. What documents would you provide based on what you have now? Accessing online banking doesn't prove she knew about the transactions or authorized them. Asking for a new debit card doesn't prove that she knew about the transactions or authorized them. The USAA Bank UDAAP enforcement action made it quite clear that the CFPB doesn't consider reliance on behavior patterns to be an adequae investigation. The commentary to 1005.6(b) notes that we cannot rely on the consumer receiving periodic statement as evidence that they had knowledge of the loss/theft of an access device.
You should follow your normal procedures for investigating a claim. If you obtain hard evidence that she authorized the charges, that's when you deny the claim.
Finally, don't give this (soon to be ex-customer I hope) another card.
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com