Currently when an LO form is unpublished, that just "shuts the front door" by making the client-side page for that form inaccessible, but that form is still available for attackers to fraudulently send payment data to over HTTP POST -- which is then processed by the unpublished donation form. This strikes us as a PCI compliance issue.