have you applied security assist access restriction to any of the checkout pages? is there access restriction applied to the confirm page? or to the failure page?
yes, use server validations for validating the credit card fields.
see the following thread for details on using server validation on the eCart checkout pages: