As a developer who has seen many "back end methods," the scary truth is no, it is not always so.
Recently I viewed source on a page. It looked to be well done, no corners cut in design and navigation, but when I got to the secure checkout page, the form POSTED to a NON-SECURE, shared version of a mailto.pl mailer!
Other systems I've seen in place store credit card info directly on the server, in plain text, on a shared server. Or email the info to the company. Bad. Very bad.
You can usually tell these by looking at the overall site: if it looks like the site owner went low-budget, or did it on their own, you can just about bet your data will be insecure. Most of the time this is because the merchant refuses to pay for a second account when they have an in-store terminal.
Larger established sites, or sites that have done the work to secure the data will be pretty obvious. They will have documentation on their site defining what is done to protect your data and it will be verifiable. They will have *their own* SSL cert, not one shared on a shared hosting server. We should not eliminate payPal-connected sites from this; if they are accepting payments via payPal, this is at least one of the *right* ways to accept payments securely for companies who would rather just get the CC info and process it manually.
The way is works is the payment processor is PCI compliant. (Google this.) Their networks and methods of storing/processing credit card information have been audited and have the highest possible degree of security.
A website connects to this processor via SSL. SSL is a method of encrypting the information transmitted to and from a server using 128 bit or 256 bit encryption. The web site will not store this information, it only sends it to the credit card processor and asks for a response. Based on the response, it will process or reject the order.
Larger companies **may** store credit card info, but then the responsibility becomes theirs to be PCI compliant.
Even the highest degree of security is not perfect. Anything can be hacked, but the likelihood is very slim if done correctly. For the most part, it can be a safe process.
Overall, buying online can be extremely safe. But it can also be extremely hazardous on poorly implemented web sites. So when buying from a site, if you're concerned, look around. See how they are doing things. When you get to checkout, don't be afraid to view source and look at the <form action=""> line. If you get a funny feeling, go with your instincts.