The bank can ask for an additional validation on purchases like validating a transaction in a mobile app as part of the payment flow. This is part of 3D Secure and 'Strong Customer Authentication' (https://stripe.com/docs/strong-customer-authentication), and it's a legal requirement in Europe. Having every n-th transaction with Roblox require accepting a notification in your mobile app would stop this sort of issue for 99% of customers.
