While a VM has potential to help might malware and financial fraud at the local PC level, I personally worry more about the other end of the payments channel. Sure, I may enter my credentials and payment info on a clean box using Transport Layer Security of some sorts, thus protecting my info in transit from my box to a remote server somewhere...but then once the merchant and/or payment processor has the data, all bets are off as far as I am concerned. Does the merchant store the payment/card data? Is it on an unencrypted network share? Is it on a backend database server somewhere with loose DB and NTFS permissions? Does the merchant share data with vendors or other third parties with lax security practices? Even if the merchant is supposedly PCI compliant, there are still often many glaring security holes. I will say that having worked in community banking and information security for the last 10 years, my views are somewhat cynical and biased.
Security is often difficult, and data touches many, many hands these days due to so much outsourcing.