The liability is usually with the card issuer (bank), unless the merchant fails to meet liability shift requirements - like processes a card via the manually entered numbers or magstripe, rather than the chip in the card if the terminal supports it.
This the way card networks have encouraged migration to systems that support tokens and cryptograms to limit fraud.
For card-not-present transactions (i.e., all online credit card transactions) the liability is the merchant's. There is no recourse for a merchant who is a victim of a stolen card, the money is simply removed from their account.
