Depending on how often the merchant is bitten by fraud, they can require to see an ID card for certain types of transaction (such as cash or check), or raise prices to cover the fraud costs.

Generally, they try to ensure that the liability shift is on the bank's side, by using an EMV capable system for most payments. Of course, that usually requires them to have a specific contract; banks, on their side, perform a risk assessment to ensure that they won't be covering too much fraud.

It's difficult but it comes down to loss-prevention.

I could setup a site with a front-facing flower shop, accept orders, take in the peoples $$ legitimately, and then transact and fulfill their orders (via fraud) on 1800flowers.com for example.

I realize that anyone could do this for anything, but the weaker your weak points are, the easier it is to capitalize on them.