For debit cards, the dispute process is called Reg E and the consumer is out the money for a month or more until decided in their favor. So there's risk in storing a debit card number.
"if there's any fraud the merchant eats all of it!"
- not 100% true- see "fraud Liability Shift topics" Your card Issuer gets it if it's an EMV (ie chip was dipped) card-present transaction, merchant gets the liability if it was online or over the phone-Exception being if 3DS is used. Fraud is ultimately payed for either by your bank or by the merchant.
This is an astoundingly naive view of what credit card fraud costs. The merchants are not doing this charitably. Your cost will be amortized somewhere.
Of course the products are all marked up to cover the fraud, but it's not like you can opt out of that markup so you might as well take advantage of the convenience.
For debit cards, the dispute process is called Reg E and the consumer is out the money for a month or more until decided in their favor. So there's risk in storing a debit card number.