devot:eeDevoted to ExpressionEngine

We have been using snaptcha for years and it completely stopped spam account creation. However, we have lately been the victim of stolen credit card validation attempts through our subscription system. Their method is to have a human sign up for a subscription, then capture all of the http POST headers and then alter and resubmit them using a script. They do not submit the form itself, they only submit the data to the form page (which is set in the action attribute of the form). Snaptcha did not stop the submission of 6000+ subscriptions using stolen credit card data. It is set at security level 3. Is this a known weakness of snaptcha or what is happening? Please advise.

Sorry to hear that. Which form add-on is being used to process paid subscriptions?

We are using Membrr. However, my main question is this: Since snaptcha loads with javascript and is triggered on form submission, if I just follow the process described above and post an http submission straight back to the form, snaptcha can’t stop that reception of http data correct? In other words, once a human has submitted the form validly, those captured headers (and any alteration made to the data in them) can keep being resubmitted, thereby bypassing snaptcha. Is that correct?

In the high security setting, Snaptcha will only allow a single form submission per page load. The problem is that Membrr is not on the list of supported add-ons:
https://putyourlightson.com/plugins/snaptcha-ee#using-snaptcha