You are half right and half wrong.
1. For the "card present" case, like swiping or using your Google Wallet or Apple Pay in person, the BANK pays for the fraud (so long as the merchant has the right equipment, saves the signatures etc. etc. .. not hard).
2. For the "card not present" case, like I go to the merchant web site, type in my number etc. etc.. If there's fraud in that case, the MERCHANT eats the cost.
What this tells you is that for card-present case, the banks have a pretty good tech stack, so they are not super worried, and they lose very little money (i.e. they are able to decline the bad purchases before they go through). The card not present, case is much more iffy, and the banks shift the costs onto the merchant, and the merchant can make up their own policies about which transactions are worth the risk.