I don't buy your "catching the bad guy" excuse, and here's why: my bank had no idea this was going on. Google never notified them. Not when the adsense attempt happened (which could have been YEARS ago), and not when I attempted to use GCO. Me calling them up to cancel the card was the first they'd heard of it.
I would PREFER if the "bad guy" knew not to use my card anymore. I don't really think we should pretend everything's peachy just so he can continue attempting to use my card. If he gets a "THIS IS BLACKLISTED" message, maybe it will occur to him to stop using the card because someone has caught on. And If the legitimate holder gets this message, then they know to cancel it instead of just assuming buy.com is a crappy website.
Google could have handled it better. I did my part and canceled when they told me, but shouldn't they be obligated to inform me that my account had possibly been compromised?