That isn’t how recurring credit card payments worked back when I did work with them, however that has been over a decade now, so my info might be out of date. Back then, the gateway would give the merchant a token that it could charge against, which was tied to both your card and the merchant ID, or it would setup a payment schedule against the card, which was conceptually better, but harder to adjust or change if the amount wasn’t always the same or something. Either way, bank account info wouldn’t be involved.
Things were pretty screwy back then too, but in different ways. The payment gateways were just beginning to come out with subscription/recurring payment services, and they weren’t very good yet. They couldn’t handle the variety of discounts and such that merchants wanted to offer, so workarounds were ugly. Still better than having the merchants store the credit card info (sometimes in plaintext ) and just charge it whenever their built-by-the-lowest-bidder system decided to.
I was given a very limited description for why, after I changed my credit card number, that they were able to continue withdrawing money. Basically they just said that subscriptions like this particular one didn’t need to resubmit the CC number each month. The token you mention is a reasonable implementation for what they submitted instead of my originally stolen CC number.
Thing is, Etsy refunded “in kind” but NOT to the originally-billed instrument, and NOT via cancelling the original transaction. This, conveniently for Etsy, leaves responsibility for all incurred overdraft/NSF fees on the account holder.
And it’s not even remotely legal; they will be paying those fees, one way or the other.
Part of it is his reminisences of his time in the start-up trying to come up with a solution for online credit card transactions in UK banking in the tailend of the '90s.
Relevant section is “The third start-up death march begins” but it’s all good stuff.