Which is why modern card technologies like chip cards and tap-to-pay don't expose the sensitive numbers at all. The card reader can't steal a number that doesn't exist. Only magnetic stripe cards are so insecure, but the card reader exploited here doesn't even have a magnetic stripe reader.
That having been said, this isn't perfect security. While a chip/tap card is in contact with the reader, it can still be used for fraudulent purposes. And physical access can open the door to other exploits, like trying to break the card's own security or installing a camera to capture images of the card.
It does look like the EMV contact standard allows for falling back to SDA operation, which involves the card just handing over the static application data, which doesn't ever change and can be cloned fairly easily onto a fake card. I don't know if it's the same data as is encoded in the magnetic stripe, but it's not much better. A hacked card reader might be able to exploit this by pretending to only support SDA. On the other hand, cards can mitigate this by not supporting SDA.
Banks can mitigate most of the effect of this by putting all risk on the merchant if they accept SDA transactions, and then letting the merchant make the choice.
Someone gets their static data skimmed and the card misused? The issuer profits from the chargeback fees...
I've seen stores still have a magnetic readers on their machines, but it's used for vouchers, loyalty cards etc or to scan card numbers to issue refunds. But not for payments.
I've never seen vouchers or loyalty cards handled on payment terminals here in the Netherlands, they always just have a regular bar code that the cashier scans (or that you scan yourself, at a self-checkout).
Your bank holds the public key of the "a certain credit card".
Your thing in the shape of a credit card is a HSM that holds the private key of the "a certain credit card".
A public key (your bank) can verify if a given digital signature generated by a private key (yor card) is valid or not.
The "CC Terminal" is a device that given the inputs (timestamp+value_of_transaction+password), asks the "CC HSM" to generate the signature of said values. "CC HSM" is smart and will ON PURPOSE refuse to generate valid signatures if you're being funny and inputing wrong passwords. Bank can further check if the signature makes sense or not.
Merchant doesn't need to know the public key, the private key, or your password.
> The "CC Terminal" is a device that given the inputs (timestamp+value_of_transaction+password), asks the "CC HSM" to generate the signature of said values.
Which makes a hacked terminal problematic since it can display $1.00 as the amount and actually request the CC HSM to sign a $500 transaction.
In a more safe world, the CC HSM would have it's own display and pin entry, to avoid this exact issue. You really can't validate if the terminal is honest.
Because as you rightly pointed out, who said the evil merchant or MitM thief are either MitM'ing the display system, or even have total control of the display system?
Importantly, though, the credit card system is based around more than just the cryptography involved. By removing the ability to obtain portable payment credentials, the scammer is forced to perform the transaction right then and there. This allows the network to pinpoint the source of the compromise.
A scummy merchant can be banned, a hacked terminal can be removed and examined, etc. And, unlike say a blockchain, a fraudulent transaction can be reversed.
That having been said, this isn't perfect security. While a chip/tap card is in contact with the reader, it can still be used for fraudulent purposes. And physical access can open the door to other exploits, like trying to break the card's own security or installing a camera to capture images of the card.