>Given that you pay for the server in advance, a VPS is essentially zero risk for them.
It is not zero risk, the risk is quite high. A credit card company may reverse a transaction reported as fraudulent unless they perceived the fraud report was incorrect / steps had not been taken to prevent fraudulent card use. Web servers are good resources for uses which are often funded by fraud.
It's definitely not a recent change, they required a copy of a photo ID as early as 2005 when I got my first server there. Don't remember being asked for a credit card scan ever though.
I didn't have to give them anything (I'm in the UK) but a client in Australia did. So maybe there's an EU thing at play (or just a risk assessment based on countries' fraud levels).
Given that you pay for the server in advance, a VPS is essentially zero risk for them. I am also surprised by this requirement.