What are the carding attempts your receiving like? Do they appear to know all of the information (name, address, cc#, expiration, cvv2)? Does your implementation use AVS?
If, for example, you are using Authorize.net they have velocity filters which allow you to limit the number of credit card attempts per IP/hour. Check with your processor to see if you can set a limit per ip.
A captcha wouldn't be a bad idea IF you only made it appear after 4+ miskeys.
The name and address that they are using are the same for every card so, those are not accurate. The CC#, expiration and cvv2 appear to be good. Yes, I'm using the Auth.net fraud detection suite which are catching almost all of the transactions, the problem is, the processor still has to run an authorization on the transactions which is still a few and they're saying they don't like the risk. I have the transactional ip velocity filter set to 10 transactions per hour. I suppose I could lower that.
I wish there was a way I could block the script or something, but that's a little above my level of knowledge. I still like the idea of a captcha triggering after 3 or 4 bad attempts, but I'm not aware of any such thing existing. This is really frustrating especially because I want to fix the problem, but I have no way to do so. :-(