That's not quite how it works. When you first add a credit card to Apple Pay, the card information is (securely) sent to your credit card company to validate. The credit card company then turns around and sends back a unique "device account number" that it knows goes with your account (and has the same last four digits as your credit card number, but which is otherwise completely different). That device account number, in turn, is stored in an encrypted form in the iPhone's "secure element" which should be very hard for an attacker to get information from. Your fingerprint is basically used to unlock the secure element so the application can get information back out of it.

When you make an Apple Pay payment, the device account number is sent to the merchant, through the credit card processing network and back to your bank (along with some dynamically generated information to prove that the device account number is being used on the right device). Importantly, this means that your actual credit card number is never seen by the merchant or the processor, and even Apple doesn't store a copy on their servers. The only place your credit card number needs to be stored is at the issuing bank, and they obviously already know what it is.

A longer explanation of all of this is here on Engadget. Although initial fraud rates were pretty high, this seems to be mostly a problem of people fraudulently adding cards to Apple Pay, not any customer information being hijacked in payment processing itself.