That’s the ideal, but not always the case. Last time I read the PCI rules, merchants could (still) handle/store card details just as they could before the hands-off approach existed; it just required someone to attest that precautions were taken. I’m sure you can guess how foolproof that is.