In a properly-designed smartcard-based system, the merchant's computer should request from the card issuer a random security token, and should never--even for a microsecond--hold enough information to perform a transaction not associated with that token. The card issuer would know that the token was issued to the merchant, and could require that any money taken from the card using it must go to an account associated with the merchant.
Ideally, credit-card-entry terminals would be constructed in such a way that a plugged-in smart card would get first "dibs" at keyboard data, nothing else could see it unless the smart card passed it along, and no change to such behavior would be possible without physically compromising the card entry terminal. In such a design, no remotely-programmable machine would ever see a customer's PIN, and thus even attack code with full access to ram-scrape all reprogrammable devices would not gain access to it.
Given the extent to which financial institutions have failed to achieve the level of security which would be possible even with simple magnetic stripe cards, and checks, I wouldn't expect them to implement the best possible smart-card system; nonetheless, a well-designed smart-card system could be made much more secure than would be possible without smart cards.
I think you are confusing the POS terminal software with the [back-end] payment processing server software where the malware actually resided (it would be near impossible to infect enough terminals to affect the records of 70 million people over a period of a few months).
Whether smartcard or magnetic-strip card is used at the POS (Point Of Sale) terminal is irrelevant - the encrypted data/tokens are passed to the payment processing server of one of the PPS companies, such as BluePay, Chase Paymentech, Global Payments, Heartland Payment Systems, International Payment Processing Company, National Processing Company, Pathfinder Processing Solutions, Payment Systems Corp., PayPros etc. etc. (2013 Top 50 Payment Processing Companies)
If Target and Neiman Marcus had the same (or similarly infected) payment processor, it easily explains how otherwise unrelated millions of people in different corners of the US and other countries had their data compromised simply by swiping their cards — the POS terminals and the cards were not the weak point, the servers infected with the RAM Scraper were.
That's why in my post I put the emphasis on and specifically underlined the back-end / processing server software as the infected culprit.
I'll even bet that most of these so called HACKING incidences are merely INSIDE jobs.
Quite possible. Security industry stats show and it is generally agreed that at least 90% of the enterprise data theft is done not through outside infections or break-ins, glorified in many "hacker" movies, but rather using either in-house accomplice or the kind of "social engineering" popularized by Kevin Mitnick.