Online payments are authenticated through means other than just your number or the PIN. Different banks have different solutions, but a common factor is that the retailer won't have relevant card information needed to duplicate the transaction. It's basically a one way thing.
Um, nope. All the information that you need to do a payment online (or using an imprinter - that's still a thing!) is the name of the cardholder, the card number, the expiration date and the 3 digit CVC code (usually non-embossed and on the reverse side of the card). All this info is also on the magnetic strip (minus the CVC code).
The retailers are not supposed to store the CVC number, but who will check and enforce that ... So if you have an unscrupulous retailer or they get hacked, it is pretty easy to steal money from you using fraudulent transactions.
There are the programs like Verified by Visa that demand a secondary authentication from you, e.g. by a code sent to your phone, but these don't work everywhere/not all retailers support them, so banks still accept transactions even without them. Then basically the only defense is whether or not the bank has some suspicious activity monitoring in place and whether or not they flag such transactions. May or may not happen - having the triggers too loose means lots of false alarms and unhappy customers.
Coincidentally, the chip & pin doesn't really solve any of this - if someone steals the data above, they can make purchases online and then flog them e.g. on eBay to launder the money and none would be any wiser. Whether or not you have chip on the card only affects whether someone in Russia or Romania can fabricate a cloned magnetic card to withdraw money from an ATM. If the original card has a chip and the clone doesn't, such transaction will be flagged and may be refused. Even that isn't guaranteed because the cards are often configured to allow payment using the magnetic strip if the chip isn't working for whatever reason. So it somewhat protects against primitive skimmers but doesn't protect at all against stuff like online fraud.
Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.