[quickthrower2]

That raises more questions. My product is $29 say. How come they are allowed to make a small transaction at all?

[chrisdkemper]

The attacker unfortunately doesn't have to use any aspect of the products that the site implements. In my situation I have different subscription levels, but the card attacker disregards all of it. Stripe really shouldn't allow for a card to be referenced without a predefined product also being referenced.

It's almost as is Stripe doesn't want to stop the attacks because they're making so much from fees

[tempaccount3333]

They are using my predefined products/subscriptions and aren't creating their own.

[stef25]

OP says they're using his public key to create their own checkout page so they can set whatever price you want.

Kind of doubtful that all you need to test cards is a public key scraped off any site that's implemented Stripe.

[tempaccount3333]

They are using my subscriptions. They don't set their own price

[withinboredom]

Because they generate their own links using the checkout api for clients (thus all they need is your public key)