The main reason is history. Credit cards with chips have been around for longer than AES. However, it is not true that 3DES is strictly less secure than AES.
DES has two weaknesses compared with AES: its small key size, and its small block size. 3DES practically compensates for the small key size: with 112 bits, it's well out of reach of brute force attacks (and there are no better cryptanalytic attacks on DES or 3DES with independent keys). The small block size remains a concern, and that makes it inappropriate for large amounts of data exchanged by the same key. Sweet32 drove out 3DES for applications such as TLS and VPN. In banking, the volume of data is relatively small and block collision attacks would be inefficient.
AES has a major drawback: it's very prone to side channel attacks. A naive software implementation uses tables, which is vulnerable to timing attacks if the adversary can observe patterns of memory accesses, which is a concern both on any multi-application system with cache, and on a system where physical attacks are a concern. A hardware implementation can easily avoid timing-based leaks, but tends to leak similar information through power analysis. DES, in contrast, is more naturally resistant to power analysis. Physical attacks such as power analysis and fault injections are very much a concern on smartcards.
A historical note: when DES was designed in 1974, it's now publicly known that NSA got involved and pushed to make DES less resistant against brute force attacks (by reducing the key size from 64 bits to 56 bits), but more resistant against side channel attacks (it was tweaked to resist differential power analysis (DPA), which was not a publicly known attack technique at the time). When AES was designed in 1999 and selected by NIST in 2001, evidently, resistance against side channel attacks were not a priority.
