I see a portable dedicated device with very limited communications ability. Just a serial port will do, which probably means serial over USB or serial over bluetooth. It will also have a SD card socket for wallet backups.
I think this could help with the retail problem too; no reason why you couldn't plug it into a potentially hostile terminal.
How will you ensure, that the 2.00 BTC which the hostile terminal shows you are about to pay isn't 450.00 BTC. Ie: How do you plan to deal with the hostile display issue? Will your device have its own screen?