Is accepting an invalid credit card number a security issue?
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD, but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.