Comment by colechristensen

Agreed. This is a situation where you need a dedicated security team to classify and mitigate this kind of attack while making sure the mitigations don't add too much friction to your real customers. It's not easy. It's also not really on your payment processor to be the first line of defense for this kind of fraud.

You'll need to find some way to fingerprint to classify users into risk buckets and then treat them differently based on the bucket: blackhole, high friction verification, and likely safe are three reasonable buckets.

Cloudflare has tools that can help identify bots, much of this can be offloaded onto them.