The credit card companies have designed the system in such a way that they never carry the risk for fraud. It's brilliant - they're basically printing money.
The consumer was "safe" on the old card-not-present system in the sense that the merchant has to refund the payment when the consumer cries fraud to the card company. If enough consumers cry fraud, the payment processing gateway (another middle man) may decide to stop the merchant's transaction processing.
The new MasterCard SecureCode and Visa 3-D Secure mechanism is kind of like paypal in the sense that you have to supply a "go ahead" instruction to the card company, except that the merchant still has your card details. Whether a transaction requires the extra step or not is determined by the merchant, the payment gateway and the card company. This is an attempt to move the fraud risk to the consumer, though the merchant could still leak card details.