I think you are thinking too much. Payment systems hacking can be prevented by the payment processing system only and if you want to black list cookies+ip is your best choice if you allow anonymous buying of your product