The way the system should work is every user's card should have a number pad on it where they enter there pin. It should display the merchant's name, an amount of the transaction, and a transaction ID (ie the receipt). The card should then encrypt a message with GPG that is then transmitted to the card holders bank authorizing the bank to release the funds to the merchant.
...and that's how it works with lots of European banks' e-banking interface:
a completely offline device (either chip-card in a small calculator-like device, or card with keypad directly on them) are used to sign transaction (or simply the numbers they display. But you get to see the numbers).
European banks do it because:
- it's really the best possible security at this level of conveniance, thus less risk for their customer and thus less possible liabilities for the banks themselves.
- it's their own e-banking infrastructure, they get to do what pleases them (see point above for what pleases them).
That would be completely different with credit card payment:
- because the bank themselves don't get to decide. Instead they have to abide to whatever Visa and MasterCard imposes on them, and Visa and MasterCard are interested in a different point of balance on the security vs. conveniance scale (they need the credit card usage to be as easy as possible because they need as much transaction as possible to happen, which makes more money flow, which gives them more earnings from the percentages)
What some european banks have introduced is complete out-of-bound confirmation of transaction:
you get an SMS asking you to confirm the transaction that you do with the credit card. Even if the terminal is rigged/bugged, the SMS will show you that that the transaction amount isn't what its supposed to be.
Currently, that's not very convenient (slows down the procedure a lot), it's not very secure (all it takes is a rigged/bugged picocell spoofing the SMS), but at least it helps discover and intercept fraud much faster (wait, why am I receiving a confirmation SMS when I'm just sitting at work ?!?) and is a first baby step in the right direction (the user should rely on an external non-trusty device for displaying info about the transaction and asking PIN to sign the transaction).
Sadly, for the sake of convenience, some of these separate e-banking authentication are replaced... by smartphone apps.
Yup. Software running on *always online* devices that can be hacked.
All this because the user have already a phone in the pocket, and because the smartphone has a camera which is convenient for reading data from QR codes.
For the record: Bitcoin protocole also relies on the user signing a transaction that they see on their side.