NFC cards use essentially same protocol as normal EMV cards (ie. "Chip and PIN"), only the physical layer is different (+ some transaction flows are not practical with the RF interface, mainly anything that involves offline PIN verification). Security wise there are two main points that this causes:
- mechanism that is used to check whether the terminal is even compatible with the card and mutual authentication used in doing so is completely absurd
- the card contains many files that must be readable without any authentication and most of these files contain information that is somewhat sensitive (usualy this set of data includes some kind of transaction log, freely readable PAN(!) and partially obscured binary image of the magnetic stripe)
Cloning EMV (NFC or not) card probably involves at least decaping the chip. But if you have clueless issuing bank, using the aforementioned freely readable sensitive data you can create perfectly working magstripe card or use this data for some kinds of card not present transactions.
For some reason, the whole security of payment cards is not built on the system being secure, but on ability to exactly define who is liable for losses when something goes wrong and on ability of various actors involved in the system to have different security vs. convenience tradeoffs (eg. whether PIN, signature or whatever is required for given transaction is result of pretty complex algorithm that involves transaction itself, card's current internal state, terminal's internal state and essentially arbitrary computation on that inputs defined by both card issuer and merchant's bank)