Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.
Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.