The naive way to solve this problem is to give each DVD player its own encryption key. Call the key owned by player i K_i. When you want to print a DVD you generate a random key k and encrypt it under each K_i. So, the DVD will have a key encryption block consisting of E(K_1,k), E(K_2,k), E(K_3,k), ... E(K_n,k), where n is the last DVD player that will ever be manufactured. Then, when player j is compromised you just don't encrypt under key K_j for all future DVDs. Now, you can't always tell when a player has been compromised, but the threat model here is that someone takes the key and embeds it in a piece of software, so all you have to do is get a copy of the software player and extract the key.
There is an obvious problem with this scheme: the key encryption block is enormous. If you expect a billion DVD players to be made, then each DVD player will need to have a billion encrypted keys. If each key is 16 bytes, that's 16 GB, which is twice as large as a DVD--and we don't even have any data on it yet.
Luckily, it turns out that there are schemes (collectively called "broadcast encryption" schemes) for arranging the keys in such a way that the encryption block is much smaller. The simplest one is to lay out all the keys in a tree, like so:
Each player gets one of the leaf node keys and all the keys on the path to the root. So, player 0 would get keys K, K_0, and K_00.
Initially, all DVDs are encrypted under key K which all players have. (Well, technically the DVD key is encrypted under K.) Now, say that key K_00 is compromised. From then on DVDs are encrypted under keys K_01 and K_1. This allows every player but player 0 (holding K_00) to decrypt the DVD). Every time a player is compromised, you change the set of keys you encrypt under to exclude that key. This isn't the best (most efficient) scheme, but it should give you the basic idea. The particular scheme that AACS uses is called "subset difference", which is rather more complicated to explain. (see here for an explanation.)
You're missing the picture in this version of the page....
Actually CSS had 409 different player keys. The disk key was encrypted to all of these keys, and each player had a few keys. The idea was similar to AACS, that if a player's key got stolen, future disks would not be encrypted to that key. Unfortunately (for them) the crypto algorithm was so weak that it was broken completely and there was no need to use stolen keys.