As has been noted, whereas the vast majority of the EMV cards shipped to banks around the world to date have been the less expensive Static Data Authentication (SDA) kind that can be cloned rather than the more expensive Dynamic Data Authentication (DDA) kind that cannot, in the last quarter of 2006 (according to the Smart Payment Association) the DDA cards accounted for 27% of the almost 100m EMV cards shipped. This fraction will certainly increase over the coming years, not simply because banks will in general shift to the secure cards but because the introduction of dual-interface and contactless cards increases the pressure for offline (ie, faster) transactions and offline transactions need DDA (which is why Visa has mandated for DDA for dual-interface cards outside the US).
As the volumes go up, the prices will continue to fall (the Visa/MasterCard specification white plastic DDA cards are already down to a couple of euros. It’s time to start thinking about adding PKI-based applications to the DDA cards (DDA cards have cryptographic co-processors on board capable of doing the asymmetric cryptography necessary) and implementing genuine end-to-end security for financial services instead of one-time passwords and pictures of grandmothers.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]