How can I clone cards on my site?

Let's go, based on the information of your comments, we are out of the log, without access to the server, without access to your codes, we can only assume where the problem is happening.

 - Usam SSL.

If all communications use SSL the problem dies here ... When I say todas as comunicações I mean that your website should do all communication between browser (client) and your server via https: , other point is if your ajax sends the data to .asp using SSL communication, if the answer is OK, it would be very complicated if someone could intercept (communication) between browser (client) and server ( nginx, apache, IIS, etc), it would also be very complicated to forge the SSL to try to get the data bare ...

If the sending of data between your ajax and .asp is not encrypted, any sniffer or arp spoof running on the network where your server is can read this information, the same happens in the network where is receiving the data, in your case the network where .asp is, in both cases you are hostage, have no control over any of the networks, sit and cry, or make sure everything is encrypted

- Não salvam nada no banco de dados referente ao cartão .

If you make sure nothing is saved anywhere, forget bank invasion issues and sql injections

 - O Servidor disse que não tem virus.

This is very vague, the problem may be occurring here, it may be a server or vulnerability in your code, there's no point in everything being encrypted via ssl, if your server is compromised, some open ftp port, something that can be exploited by exploits and allow full access to the server, this would ensure that the attacker changes codes in a hidden way and sends forms to the server / pc / database of it ... the same can happen with your php / asp, if you have any holes in them, the attacker can insert hidden code on your server without you having any knowledge.

Imagine that Hacker gets a way to access your server, it can accomplish this by exploring http / ssh / ftp / exploits / loopholes in code (php, asp), etc, imagine that I'm on the form and that I am typing my credit card number, ok the data is encrypted via ssl so I press the submit no one in theory could read the transaction, but the data in the form contained on the server side are not encrypted, someone could insert in some location of the code something that holds or sends this data ...

  - Quais ações posso tomar para tentar resolver isso? Falando em   
    programação

Without knowing for sure where the problem is, there is no way to kick it: - (

    

Are you using anti-fraud token (AntiForgeryToken)?

It may be that in the shopping cart payment, instead of clicking once, the customer is double-clicking the Pay button.

If this is happening and you do not use the token, the payment will be processed more than once.

If you validate tokens of this type, once the user has done the POST of the payment form and used a token, the token will no longer be valid and retry attempts to use that same token, which would happen if he has pressed the button numerous times, they will fail.

To use AntiForgeryToken, simply decorate the controller method with:

[ValidateAntiForgeryToken]
[HttpPost]
public ActionResult Pagar(PagamentoModel model)
{
    ....
    return View();
}