Card-tumbling, like its evil relatives of automated spam, script kiddies and privacy breaches, is not a problem to be solved, but is a fact of life on the internet.
Recently, new strategies for bad actors means that even if you thought you'd fixed this, you might need to review your defenses.
If you've got a publicly accessible contribution page using an on-site payment processor, there's a good chance that you're a target.