I can think of two ways they could try to run a script against your checkout form:
1) They have written some kind of bot which executes the form requests automatically, just like a user would submit the payment information form. So they are basically sending requests to your server, which do not come from your own website / form. This is prohibited by default, by the web-server you're running - IIS, but maybe you have your configurations file modified? Check this link: http://enable-cors.org/server_iis7.html
You need to check your web.config file that is in the nopCommerce root folder. If you find that configuration, remove it from the file - or specify the exact domain names that you'd like to accept requests from, never allow all ("*").
2) They have automated the website's UI, using common UI Testing tools like Selenium, and are sending the requests using your website's form.
I think in either case you could try to restrict the IP that the requests are coming from ? This must be configurable from IIS - if your hosting provider does not allow you direct access to IIS, you could try to contact them and see what they can do. Alternatively, you could search for some nopCommerce plugins that restrict IPs (I've done a brief search in the past, there are some out there)
Hope this helps.