Is there a limit on how many times are they allowed to re-enter payment details?

They should have indefinite number of opportunities to re-enter the payment details. There is RiskCheck called that blocks the payments for 24 hours in case the user does a X number of attempts (if required only).