A lot of smaller charities donation pages are readily abusable to "validate" card numbers, bruteforce CVV number, expiry, etc.
A few local charities that all had their sites running the same shit ended up getting absolutely hammered with charge back fees a while back, someone had been abusing their pages to check and crack card numbers to use.
Donation pages seem to be the easiest to abuse based on the data I've seen.
Presumably they got lucky with a Luhn generator and ecommerce that was especially lax in their checks, but it was still pretty concerning!