I hear this a lot and I don't really know how EU's chip and pin works, but wouldn't it be best for the the card to spit out an encrypted blob that only the originating bank can decrypt? IE, no number that's useful to anyone in the middle at all? That seems like a better design to me.
A lot of places where I pay by PIN they still swipe it afterwards so that they have a record on their own system (not sure why they need this though) - I think this is what OP refers to.
The difference between US banks and mine though is that if I try to pay by signing my bank won't authorise it - I have to enter my PIN (and sometimes sign too) to make a payment.
Payments online is more of the retailers fault though. They shouldn't accept payments where the CVV check or address check fails. Here in the UK most retailers won't accept payments unless it all matches up, but as I understand this isn't as common in the US.
Yes, and the infrastructure is there for chip&pin cards, you just need an ISO7816 USB reader, which are cheap nowadays (<$20). Browsers already support it as well; in fact, our national ID cards follow the same standard and you can login to governmental websites with the card.
