We have succesfully relied upon the x_duplicate_window value being passed to block users who attempt to submit multiple transactions in a short amount of time. This worked well for several years, until recently when the value seems to now be ignored. Now we've got users submitting 12 transactions in 2 minutes or less.
Are you still experiencing this issue?
We are unable to duplicate the error in the Sandbox.
I'd recommend subscribing to this topic so that you'll be alerted via email if anyone else from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies to your post.
I suspect what the cause is but cannot prove it yet. I am 99% sure that in the past, a duplicate charge within x minutes would have be based upon the same credit card, same ip and a couple other items, but not the order id. Now if the order id is different then Authorize.Net does not see the charge as a duplicate. This is bad. Now a fraudulent charger can cause the order id to increment over and over and submit hundreds if not thousands of bogus duplicate charges. I've looked at the new fraud detection suite settings that allow you to throttle by hour or day, etc. THESE ARE TOTALLY WORTHLESS! During certain times of the year, it is expected of our site to process several hundreds charges per hour, just not from the same person. And limiting by IP is pointless when half the world shares an IP as they are behind a corporate proxy or firewall.