For payment terminals the core problem is that the trust model is ass-backwards. The user is the one at risk from a faulty authn device, so they should be the side "controlling" the authn flow. Merchants would be fine just carrying dumb plastic cards with an ID number. Though these days there's little reason not to just make both sides smart… it could even run on the phones they already have!
