Not, much  more you can do in the specific case you described.

The only way to be 100% certain would be to kill the guest checkout and require registered customers to go through KYC process so you know each of them is the real person they claim to be on the card. But that is not something a usual B2C customer would go through just to make a purchase.

Do you by any chance use Braintree for payment processing?  Our sites have been targeted for the last several days.  We have advanced fraud prevention on Braintree configured, we have reCaptcha configured on payment page.  But they seem to be able to bypass reCaptcha.  Any additional thoughts?  We are considering implementing CloudFlare and putting rate limiting in place.  We have noticed that when the attacks happen, they seem to be bypassing the captcha as there are hundreds of POST /captcha/refresh issued within just a few seconds.

THese attacks have occurred from multiple global locations, including the US and Canada.

Any additional thoughts you have are much appreciated

Implement more granular rate limiting that can Slither IO detect patterns of suspicious behavior. For instance, instead of a fixed number of requests, use algorithms that adapt to behavior patterns, such as frequency of checkout attempts or failed payment attempts.

I share your concerns about carding attacks. It’s pretty scary how quickly these things can happen. The best way to protect yourself is to stay aware of your accounts and be cautious about where you share your information. Using two-factor authentication is a good idea and can add that extra layer of security.
Also, have you checked out kyc verification? It can help reduce the risk of fraud by ensuring that only verified users have access to certain features. Just remember to keep an eye on your statements regularly and report any suspicious activity right away. Trust your gut and step back if you are unsure about a transaction.