My bank should use their own certification authority to generate the certificate for their web site, and should print an appropriately-verifiable hash of the CA certificate on my card so that I can check it easily. (Or perhaps they could provide the certificate on a credit-card-sized CD, along with some appropriate software.)