So far I don't see any problems. It looks like bots just attempted payments with stolen cards. That's not your fault or the implementations fault.
We're using hosted payments for eWay. This means all CBSubs is responsible for is redirecting to eWay with an amount to be billed. eWay would then send them back and CBSubs would confirm the payment. At no point is the payment handled by CBSubs in any way. This was implemented years ago using the documentation at the below links which doesn't appear to exist anymore and they didn't bother setting up redirects for.
Code:
https://www.eway.com.au/Developer/eway-api/shared-payment-solution.aspx
https://www.eway.com.au/_files/documentation/HostedPaymentPageDoc.pdf
The above however just appears to be v1 or v2 implementation of their Responsive Shared Page below. Regardless all we're doing is giving customer data to eWay and they give us a URL to redirect to. After that the payment is entirely in eWays hands.
eway.io/api-v3/#responsive-shared-page
This means all the fraudulent checks is entirely on them, but the bot problem is of course entirely on you. I do recommend securing your registration form using CB AntiSpam.
As for the payment processor there's nothing I can do there as explained above we don't handle the payment at all. If they have implementation recommendations on what we should be doing here then we can review making adjustments, but we're already sending nearly all the optional data (e.g. customer name, invoice address, etc..). If you want a more featureful provider that has modern security practices I would recommend moving to Stripe.
krileon
