Please do not compare XBL to PSN. Just because the PSN was hacked does not mean that XBL will be. So far in all its years of operation XBL has been a safe and secure network.
If you have a credit/debit card attached to your account and it is tied to an active XBL membership you will not be able to remove it. What you would need to do is contact support
in your region and have them turn off auto renewal. Then once the account reverts to silver at the end of the subscription term you can then remove the payment instrument via billing.microsoft.com or you can call and have them remove it.
Or you can cancel your current XBL subscription, be aware that if you have less than 30 days left on the subscription you will not be reimbursed for it. Otherwise you will be given
a redeem token for any time left on the subscription that you could then use instead of a credit card. Note that it may take 3-5 business days before you recieve the token.
When someone's credit/debit card is used to purchase things without their permission, in the instance of your friend, there could be several ways anyone could have got a hold of that
credit/debit card number. Many of which do not involve XBL at all. If your friend uses a credit/debit card on any online websites/services it could have been compromised on one of them no matter how secure his connection is on his end of the network. If your
friend does not shred his mail before he bins it someone could have got a hold of his information that way. Etc. Etc. Etc.
Unless you know for absolutely sure that XBL was the cause of the compromise then I would hold off on placing blame on anyone. Do the above and you will have no worries.