We work with a 501c3 that has a donation form that's been getting hit with crazy amounts of phishing. The charges weren't being declined, but every 3-5 minutes they were submitting a new $1 donation with a new card number and "Address" as the address. The bank is telling the client they only validate the information that's on the card - the name, card number, and cvv2. So my question to anyone who's knowledgable in this area is - WTF?? Is that common policy or is their bank, FirstTrans, just a bad bank? I feel pretty astonished the address isn't also validated because if the card is stolen they have all the info they need.