Dmitry : you are mistaken) in Russia only a swindler returns funds to the victims, in the USA the bank returns. I’ll even say more in the Russian Federation, sometimes they even force the victim to file a claim, although he may not be aware at all and live in peace without noticing the missing amount. Well, "very" logical explanatory notes in such cases are written ... ala, an employee of the bstm called me, said, I checked the funds, this is all after a month +. And it always ends with "the damage was significant for me."
In general, it depends more on the client himself, who needs it - he will return it, he fusses.
Brutal, why not? many bottle necks in a good sense are scattered to this day, to the stupidity of the head box of developers, or to the delight of competent researchers)

I am sure that a simple person, with all the desire, will not be able to brute force him. Timeouts, IP ban, restriction of input attempts.
CVC/CVV is not brute force - it is stupidly stolen using the user's naivety and stupidity, phishing, injections and other mechanisms.

It turns out I'm a robot, or a Martian. The question is not "WHAT" (in this case, to tie) should be asked, but "HOW".
on 3 years of experience in the most beloved and for me completely, non-competitive, area - like "bruteforce", half of the solutions were ten times more difficult compared to this problem ... given that the number of non - typical and completely different solutions exceeds 2000...
ps Of course, they will quickly send you directly to processing. as I always say - an integrated approach .. there is always a way out ...