No, the data is not stored. It is stolen directly in the browser, before it even has a chance of reaching the infrastructure of the intended website.
As for other things, which you brought up despite not being related to the original statement:
Yes, you can prevent it. In most cases proper CSP stops the attack. Even if it does not, because the attacker was able to modify CSP, then what I have said above still holds: two of three points I’ve mentioned are dealing with exactly that type of attack. If I would claim that common configurations allow you to do that easily, you would be right, but I haven’t.
And, for example with my current setup, it is impossible to execute. Unless the victim server is also used t store stolen data (which is not the case here). It requires contacting a 3rd party domain and I would have to explicitly allow that. It is not possible, at any significant level, if your company blackholes blacklisted domains. So I’m not theoretical here.
3-D Secure also makes the attack hard, even for an average setup.