In theory, everything can be evaded. In practice, it won't be. If you run your transactions through something like MaxMind MinFraud with Device ID, you will know it's the same person, even if they clear cookies, switch proxies and re-register on your store between every card. It costs half a penny per transaction; anyone can afford basic risk scoring.

Most of the time that kind of tech isn't even necessary. The types of criminals most online stores deal with are not sophisticated; they're just people that paid $1/number for a list of phished credit cards on a black market forum who are going to enter them one-by-one on a few websites to see which haven't been reported stolen yet.