The process for creating a customer payment profile doesn't have any method to stop card spamming.
When someone uses a bot to attempt to add credit cards to their account in order to test to see if they are valid, there is no method for capturing and restricting access.
I recently had someone bot spam my add payment page with 25,000 credit card attempts. None of them were approved due to AVS mismatches or other errors. Unfortunately I racked up $2,500 in AVS charges from my payment processor.
The Advanced Fraud Detection Suite will freeze your account if there is a certain volume of activity, but that stops everyone from processing transactions - an unacceptable solution. It also has an IP Address check, but there is no IP Address being accepted when adding payment profiles.
Since CIM is a paid service, I would think that a basic fraud detection of how many transactions from a single customer in a period of time would be appropriate as part of that service. This would limit the transactions sent to the processor from a restricted IP address.
If you are using CIM on your website, understand that someone can easily write a bot script to submit forms or make ajax calls. There is nothing built in to restrict it.
