All my credit cards show (in French) "Expire fin YYYY-MM" (explicitly the *end* of the indicated month). I have never seen any credit card expiring at start of that month (and renewed cards are sent to customers about 2 months before the expiration, 1 month at most, so there's a delay for activating the new card).
Note however that some credit card issuers may give additional delay, if the new credit card is still not sent, received and activated by the customer. Once the customer activates the new card, the old one replaced b y the new one is desactivated within the next 24 hours, sometimes even faster for internet transactions that can use a verification process with a transaction made by Visa or MasterCard with the issuing bank, or on cash withdrawal machines that are also connected). Credit card transactions are fast to process. And anyway almost all transactions made with a credit card must first be confirmed by the credit card issuer.
The credit card number (even with the correct checksum digit), the expiration date, the CCV code, the name of the credit card holder are not enough to confirm that a card is valid or not.
So I would not say that a credit card with an expiration month is past is invalid: In fact it may still be usable, but the indicated date MUST match (if not, Visa, MascardCard will reject the transaction as invalid). Then the transaction is on hold until the payment is confirmed by a pending status. MasterCard, and Visa will both contact the bank to confirm the transaction, the bank may provide a secure form to input some confirmation code, possibly sent by SMS or a secure mobile app that the owner must confirm, the user will then have to type that confirmation code, and then the form will be accepted and will return to the merchant that will receive a notification: "transaction confirmed" or "transaction cancelled" (when it is cancelled, Visa or MasterCard don't return the cause, the credit card may still be valid, but the user could not terminate the transaction in the limited time or could not receive the SMS or use their mobile app because they don't have their smartphone, or it is out of battery).
In summary, credit card transactions are not automatically renewable, and collecting and storing credit card numbers or info (expiry, owner, CCV) is not something that is sufficient (it worked in the past, but credit cards info were stolen on so many websites that most cards now no longer work with a transaction by transaction authorization. In addition, even if a transaction is accepted, it may be cancelled within the next 3 months if the customers signals the card being stolen (the customer gets a full refund by the bank, the merchant will have its account debited if it was credited earlier, so the merchant must keep a way to contact the customer and get enough info from him, but keeping the credit card info is useless and merchants should never store them longer than the time to process the single initial transaction: once the transaction has been confirmed, it is the transaction ID that the merchant must keep in case it gets cancelled: the merchant's bank will debit the merchant's account by providing this transaction ID which is what is needed to recover the unpaid product or service by other mean with the customer).
For recurrent payments, there's no warranty that it will work after the 1st transaction succeeded (in fact Visa or MasterCard do not offer such warranty, recurrent payments should be made only by another system). This is at least what is needed in Europe. US may have more "permissive" rules (but there's less protection in US for customers than those that exist in Europe, where all abused transactions are refundable: the customer just has to certify legally to his bank (sometimes as well to the police, but this is no longer necessary) that his credit card was lost or stolen, and the credit card will be blacklisted for all further transactions; the customer gets his money back, but no longer has a credit card, and must purchase a new one, or must pay an insurance to cover this cost and get a new one for free). It's up to merchants to pay an insurance if some of their paid transactions were cancelled, and to pay the recovery process for any unpaid billing (such recovery is generally hard and fails more than half the time).
But at least this system allows collecting statistics about abuses, and investigations on where the money was used. Banks, Visa, Mastercard, and insurance companies cooperate for these investigations and if needed they'll do the legal procedures themselves after isolating some hotspots of abusers. One example: if the "stolen or lost" card is inserted in any ATM, the user will be photographed by the machine. Many shops also have recording cameras that take photos of all those using their payment system (these are archived and usable for a few months, to allow judiciary or police procedures). But it is more difficult to track an abuser on the Internet (the IP address would reveal nothing if the IP was abused or if it was a mobile internet access on a phone with a "disposable" SIM that costs very little and whose owner's identity is not identifiable, of if this was using a public Wifi hotspot). For this reason, all internet transactions should be secured and not delayed, using the two-factor authentication procedure required by the credit card processor (use its API on your server or application!)
