Yup. The only real way to stop bots is be convincing the operator that your data is poisoned.
That means you need to poison the data when you detect a bot.
Was it always $1? If I was the attacker, surely you’d pick a random number. My guess is that $1 donations would be an outlier in the distribution and therefore easy to spot.
It’s also interesting that merchants (presumably) don’t have a mechanism to flag transactions as being >0% chance of being suspect. Or that you waive any dispute rights.
As a merchant, it would be nice if you could demand the bank verify certain transactions with their customer. If I was a customer, I would want to know that someone tried to use my card numbers to donate to some death metal training school in the Netherlands.
They did try adding variations to the amount (+0.50-1.00) late in the game, but by then it was ineffective, I could still quickly detect them and turn on the randomized data poisoning. I expect that they want to keep the amount small so most cardholders won't bother to look into the unfamiliar charge.
I do wonder whether these people sold their list of "verified" credit card numbers to any criminal enterprises before they realized the data was poisoned. That would be potentially awkward for them.
I like how this kind of response is very difficult for them to detect when I turn it on, and as a bonus, it pollutes their data. They stopped trying a few days after that.