I can understand that you are trying to find a solution which does not involve human interaction in order to keep the user experience as good as possible.

Since the evil-doers are using your site to check credit card validity you are probably dealing with a more targeted misuse of your resources as opposed to common blocking scenarios for automated processes, like comment spam bots and alike. Depending on how valuable “your service” is to the people who are exploiting your website, locking them out without requiring human interaction might only work until they figured out what you changed.

Alternating field names aren’t going to stop them from populating the fields by order of appearance on your site, for example.

Solutions like having javascript populate a hidden form field are only good as long the bot does not speak javascript.

I would suggest to use all the techniques found when searching for captcha alternatives and use the methods in random combinations for each request – then hope that another site is less secured so they start using a different site to get what they need.

If all doesn’t help you can still use a solution that involves human interaction.