#jjoyceiv-ach-debit

the latter!

Great. The reason I ask is that our service saw some bad actor create a bunch of fraudulent accounts and try to attach the same bank account to each one using the microdeposit verification process (presumably to try to collect the <$300 at the end). My idea to help secure against that is to IP rate limit those requests on the server side (1 per 12h or 24h) prior to storing the source. Other than possibly inconveniencing some legit users on shared networks like parts of a college campus, can you see any reason this approach wouldn't work, short of facing a botnet with hundreds to thousands of IPs, and a reCAPTCHA-breaking service to match (our service uses a reCAPTCHA at account registration)?

no that would work great

an alternative: let us handle this. We added support for ACH Debit in Checkout a few weeks ago. Just use Checkout and let us do all the work, captcha, etc. 🙂

Checkout's not a great fit for our service at this time (we do $1mil+ of card+ACH gross volume monthly), but I am keeping an eye on the new ACH Debit features and will consider switching us there in the future.