Our current problem is with a site that uses Shopify Payments. We have someone (more than one?) that is obviously using the site to see if the stolen credit card numbers they have will work. This person places large orders multiple times a day.

Shopify knows they are fraudulent and we have a flow in place to cancel the order immediately due to "High Risk". We use the manual payment setting to make sure that we are not charged for the transaction fees for these orders.

The issue is that these fraudulent orders are 90% of our orders on that site. It is making a mess of our data. Also, I hate that our site is a useful tool for this person to see if the stolen credit card numbers/addresses he is using work.

With our non-Shopify Payments sites we can add a velocity filter, and some other things. But those sites pay a much higher cc rate than Shopify Payments.

What I am looking for is a way to prevent this person from trying credit card number after credit card number. They are obviously clearing cards using our site and I'd like it to stop.

Some more facts:
1. The IP address changes with each order.
2. They don't order anything they want and they ship it to the billing address.
3. They don't use the same email address although there is some similarity
4. They seem to have a near endless number of credit cards and typically can try 5-10 of them before they get one to work.
5. The person is not trying to steal from us (although if the orders went through that is what would happen) the person is figuring out which card numbers/addresses they can put a $250 order through. I imagine they then place an order someplace else once they have figured it out.