At the very least, he system needs to raise big red flags if a CC added very recently is used for validation. A system I built a few years back would alert customer service if any of the validating data was less than a month old, and would let them use it if it was less than a week old. (So yeah, if you forgot your password in the week after you changed address, you were locked out for a week. That was a business risk deemed "acceptable" by the client.)