I’d avoid Captcha until you’ve exhausted other options. In order to be successful in matching a CC #/name pattern the baddies much be doing thousands of attempts against your server. As mentioned before the first line of defense should be to identify suspicious behavior patterns and block those.
In particular, if you get more than, say, 5 attempts at form completion within 30 seconds from the same IP, you could remove the form and put a message like “It seems like you’re having problems making a donation. Our apologies. We’re happy to accept your donation over the phone at __“. Friendly message in case there’s actually a legit person that falls in this bucket, but presents a dead-end to the baddies.
Another idea related to form completion time — split the form into multiple pages (contact info on one, CC info on another perhaps). Block anyone that fills the initial page in within milliseconds when they go to the next page.
And as I mentioned in a comment on the original question — the best solution may be to outsource the credit card gateway to one of the many companies out there. I’ve worked for small non-profits before and even the most responsible developers likely don’t have the bandwidth to keep up on every possible security concern. The transaction costs of using a vendor are a concern, but shifting the burden of protecting against fraud can free the organization to focus on bigger issues.