Actually most get a token from their payment provider and store that for future use - only the very large sites which have their own merchant accounts and card provider systems will store the card details.
In the UK, most card providers require you to enrol into something called "3D Authentication", which sets up a password for your card - when you make a payment online, you put in your card details, billing address etc, and then you are asked for three digits from your 3D Authentication password. The way in which this works is its handled directly by the bank, not the payment provider or the vendor website - the payment provider returns a response saying "3D Auth required, go here to complete..." and you redirect your user to that website, they do the additional authentication, the bank then sends a result back to you, and you send that on to your payment provider.