The issue with this is that you won’t have a scapegoat if people do continue to roll through credit cards. With ReCaptcha, you just say “all of these attempts had verified captchas” and the CC processor is unlikely to personally blame you/the company for the activity since ReCaptcha is widespread. With a custom solution or other captchas, they can just block you due to insufficient protections when they see you have higher fraud rates than merchants utilizing ReCaptcha.
If you disable anonymous checkout work so that you have to have a registered account and be logged in to check out stop these credit card rolling attempts? Shut down any account it occurs. Probably whack-a-mole, but is it effective enough to not deploy a captcha system and not have the merchant account suspended?
Bots in the business of CC fraud are often written specifically for that website, so you might have bots register a few hundred accounts a day to try the CCs. All I’m saying is that ReCaptcha is a scapegoat, other big websites and services get away with doing their own fraud detection (Stripe, Shopify) because they’re good at it and have a team dedicated to constantly improving it.
