It is for card not present transactions – i.e. they steal your card number from a website.

They are not allowed to store the CVV number. They use the CVV to verify the card when you first use it, and if you keep the card on file they may not request it again (they aren’t required to submit this as a part of payment processing) but they do not keep the CVV itself.