The card number never hits the merchant's web server, so currently they do not have to be compliant.
There is talk in the industry that this will be changing actually; as the card number is still vulnerable to javascript that run's in the merchant's web page. So if the merchant is hacked and their website is compromised then CC numbers are vulnerable. So it is likely at least some of the applicable PCI DSS requirements (and auditing of them) will eventually be required.