Online merchants are supposed to comply with PCI-DSS - not store your CCV ever, never transmit your number unencrypted, never store cardholder information unencrypted, plus tons of management controls and audit controls over the same.

In practice, let's just say lazy programming is everywhere. I've seen many people who handle online transactions and violate PCI-DSS to some degree, including storing CCV numbers.