It's a fundamental security dictum that no legit organization ever reaches out to you asking you to volunteer personal or financial data via phone, email, or text. It's as sure a sign of sketchiness as the fractured English text in those fake Microsoft "invoices" we sometimes get. A provider on the up-and-up already has all that information.

AFAIK the only scenario where a legit company might have this issue is when you, the cardholder, have cancelled (or let expire) the originally used card since making the purchase, or changed its number owing to another fraud attempt. Otherwise yes.