+1

If the machine isn't under my control, then I don't want it to have access to my private key.

The card itself has to do the signing. The card itself also has to display the transaction so I know that what I'm signing is what I intend to sign.  The card itself therefor needs a physical input device that allows me to tell the card that I authorize the transaction.

The terminal should send the transaction to the card, and accept in response a signed transaction that it can broadcast to the bitcoin network.

Unless you are talking about storing the bitcoins in some sort of "bitcoin bank" and the bank issuing a bank card that allows you to access your account with them, you need to stop thinking about bitcoins as just a payment network.  It is also a currency, and many of the things you think you know from your experiences with credit cards and/or debit cards simply won't apply to bitcoin due to its nature as a currency.