> If other people did this, but ended up doing it from an insecure machine and lost the credentials / got hacked, I can see why at least some orgs might want to prevent people from doing this.
The measure is not really about protecting the user that is using the payment form, it is meant to "protect" the system that is validating the payment data. The payment form may be a target for attacker which has gotten a large batch of credit cards from somewhere else, and wants to validate the data. They then regularly exploit such forms, or other naive payment system to check if the credit card data is valid.
CandyJapan owner wrote some blog posts about the subject.
The measure is not really about protecting the user that is using the payment form, it is meant to "protect" the system that is validating the payment data. The payment form may be a target for attacker which has gotten a large batch of credit cards from somewhere else, and wants to validate the data. They then regularly exploit such forms, or other naive payment system to check if the credit card data is valid.
CandyJapan owner wrote some blog posts about the subject.
https://www.candyjapan.com/behind-the-scenes/how-i-got-credi...
https://www.candyjapan.com/behind-the-scenes/candy-japan-hit...
https://www.candyjapan.com/behind-the-scenes/fraudulent-tran...