Not, much more you can do in the specific case you described.
The only way to be 100% certain would be to kill the guest checkout and require registered customers to go through KYC process so you know each of them is the real person they claim to be on the card. But that is not something a usual B2C customer would go through just to make a purchase.
Do you by any chance use Braintree for payment processing? Our sites have been targeted for the last several days. We have advanced fraud prevention on Braintree configured, we have reCaptcha configured on payment page. But they seem to be able to bypass reCaptcha. Any additional thoughts? We are considering implementing CloudFlare and putting rate limiting in place. We have noticed that when the attacks happen, they seem to be bypassing the captcha as there are hundreds of POST /captcha/refresh issued within just a few seconds.
THese attacks have occurred from multiple global locations, including the US and Canada.
Any additional thoughts you have are much appreciated