And when the payment is actually sought?
What then? When the card's cryptogram (generated with a value of 100) fails to match the cryptogram generated by the issuer (with a value of 123), the issuer just declines the transaction. So either the transaction is declined 'online' and the cardholder walks away empty handed, or the transaction is accepted by the merchant 'offline' and later rejected by the issuer after the customer has already walked away with the loot.
So it's more a potential attack by a cardholder on the merchant than it is that of a dodgy merchant against unsuspecting cardholders.