If Apple Pay is anything like Google Pay it will pick up the card has been changed. I'm not entirely sure whether there's an algorithm at play (credit/bank card numbers are based on an algorithm) or whether the bank update it with Google, but whenever I've ordered a new card or they have changed due to age, the app knows the number of the card already. All I need to is enter the CVV code on the card to verify it. There's also a slight grace period to allow for postage and other related chaos before it will force you to verify the new card details.
The easiest way to "break the chain" is to close the account and start a new one. At that point the cards start with a completely new set of numbers, and the scammer is stopped in his tracks. The problem is, if it's a bank account most people don't want or need the hassle of an account being closed, another one opened, and the fun and games that follows when you need to update everything (I know banks can do most of it these days, but it's still annoying for the stuff they can't).
The way Google Pay and Apple Pay (and some others) work is by creating a virtual credit card for you (If you use Google Pay and click your cards, you'll see part of the virtual card number in the info screen). It's nothing spectacular (just numbers), there's no credit limit apart from what they make as a maximum purchase and what you have available in the bank. When you pay for anything with your phone it gets charged to this virtual credit card, pays the vendor and then bills your registered card(s). I suppose it would be possible for an employee to get access to real world card/bank details, but it would need to be very high up and a call centre drone or low level worker wouldn't be able to access them as par for the course.
Out of curiosity, your friend doesn't have any children do they? A few years back my then-girlfriend kept seeing Dominos pizza charges on her credit card. The bank (Santander) weren't much use apart from changing the card. Every time the card was changed it kept happening so in the end the fraud team decided to sort it out once and for all. It turned out that the delivery address was her home address, but every time it was ordered was when she was at work (she works mainly nights as a nurse). It turned out one of her kids was coming in, couldn't be bothered cooking or eating anything in the house, and was ordering from Dominos. Whenever she changed her card, he just snaffled the new details and carried on. Thankfully it was stopped when she managed to get the police around to arrest him (for fright tactics) give him a talking to, and then de-arrested him with a warning.