It sounds like probably something like you hack someone's master account. Create sub-accounts and are able to use those sub-accounts to make purchases without the cvv?
If this is the case, it's no different to how Apple and Google do things with family setups.
This might be a whole load of nothing.