There an "online pin" system called 3DSecure (also known as Verified By Visa) that uses a system of tokens passed by JavaScript to present the user with a form that's held on their bank's servers. Implementing it is optional for the merchant, but if they choose not to then they're accountable for any fraud. If they do then liability is passed to the customer.

It's all very favourable to the credit card companies.