If they were doing it over (which they now can't) the US should insist on competent independent oversight for EMV and its card issuers. EMV ("Chip and PIN" or in the US case "Chip and Signature") is a proprietary system, and so inevitably the priority for the three card networks (Europay, Mastercard, Visa - hence the name) was to get something they could roll out cheaply and hopefully save some money, security wasn't irrelevant but it wasn't priority #1.
There are a bunch of choices that EMV makes which seem dumb, and then a bunch of choices for issuers that invariably get selected for the overall economic impact for the issuer (typically a bank) not the cost of fraud to individuals.
I don't want to oversell this. Automatically EMV's chips are safer than magnetic stripe because the whole point of magnetic stripe is that writers are a cheap commodity. A bad guy who wants to clone magstripe credit cards can buy everything needed in a hobbyist electronics store, assemble it at home and they've got a cottage industry. Cloning modern protected microchips is by no means impossible, but it's not a viable plan as a side hustle for your job waiting tables.
BUT EMV could have been significantly less fragile, and consumers could have come away from this with all the same protection and the knowledge that this helps them as much as the banks.
Example: An EMV card can be dumb. It can offer Static Data Authentication. SDA is something you could copy from a real card and play back, not so different from the magnetic stripe problem - whereas the more expensive Dynamic Data option prevents this. Why is SDA allowed? Because it makes the cards slightly cheaper. For end users the card seems the same, for the issuer they just saved a few bucks. But now the end users have less fraud protection. Maybe your bank uses these cheaper "dumb" cards for accounts it deems at lower risk, or with smaller credit limits, or at random, you have no way to know.
There are a bunch of choices that EMV makes which seem dumb, and then a bunch of choices for issuers that invariably get selected for the overall economic impact for the issuer (typically a bank) not the cost of fraud to individuals.
I don't want to oversell this. Automatically EMV's chips are safer than magnetic stripe because the whole point of magnetic stripe is that writers are a cheap commodity. A bad guy who wants to clone magstripe credit cards can buy everything needed in a hobbyist electronics store, assemble it at home and they've got a cottage industry. Cloning modern protected microchips is by no means impossible, but it's not a viable plan as a side hustle for your job waiting tables.
BUT EMV could have been significantly less fragile, and consumers could have come away from this with all the same protection and the knowledge that this helps them as much as the banks.
Example: An EMV card can be dumb. It can offer Static Data Authentication. SDA is something you could copy from a real card and play back, not so different from the magnetic stripe problem - whereas the more expensive Dynamic Data option prevents this. Why is SDA allowed? Because it makes the cards slightly cheaper. For end users the card seems the same, for the issuer they just saved a few bucks. But now the end users have less fraud protection. Maybe your bank uses these cheaper "dumb" cards for accounts it deems at lower risk, or with smaller credit limits, or at random, you have no way to know.