some transactions are getting through our defenses and costing us money

In #135 (closed), I noticed some failed transactions in our metrics and asked @mattlav to check them out. It turns out those are real, actual failed transactions and that stripe charged us for them.

So somehow, scammers are still going through our defenses and card testing on our site.

A discussion of solutions ensued and, in #135 (comment 3082648), @stephen detailed the protections we have in place. It became evident (see #135 (comment 3083586)) that something is missing, particularly the capacity of automatically banning, for a longer term, repeated offenders.

@stephen started drafting !158 in response.

this issue is to track the work surrounding that, and to close #135 (closed) and get it off @mattlav's back.