If they were doing that, they should also overhaul the whole system so you're never giving your credit card number directly to the sites. Similar to how if I use OAuth to log into a site, that site never has a chance to see my password.