NFC (Near Field Communications) cards are not passive. NFC readers constantly transmit RF (radio frequency) energy; this is called a carrier signal. Very close to the reader (within about one wavelength, putting the "Near" in Near Field Communications,) the RF transmission is strong enough to induce enough energy into the receiving antenna to power the circuit in the card. The card contains a computer chip that has a CPU that can process received data, a small amount of static memory, and the ability to "transmit" a response (transmission is achieved by attenuating the carrier signal.)
Mag stripe cards (those that have no embedded chip) are passive. They have only "static" authentication data, which is probably what you're thinking of. The data is encoded on the stripe at the bank when it's issued, and it's always the same data, read after read after read. The mag stripe is technically very limited, and contains only a few pieces of information. They are the PAN (Primary Account Number), cardholder name, expiration date, service code, and a secret value called the CVV (Cardholder Verification Value). In total, no more than 79 characters can be encoded on the first track of a mag stripe.
NFC chip cards used for payments are programmed to emulate the same 79 characters that you might find on a mag stripe card, with a couple of exceptions: they can listen for variable data transmitted by the reader, they can respond with whatever the chip is programmed to send, and each card contains a secret key that is known only to the bank that issued the card.
To communicate, the reader sends the chip some data about the transaction including a random "challenge" number. The chip then encrypts the challenge value (and other transaction data) using the secret key stored in the card. The chip then emits this computed value in place of the CVV. This is called "dynamic" authentication data, because the number is different with every transaction and challenge.
The reason these cards are not easily clonable is that nobody but the bank knows the secret key hidden in the chip, so nobody else can produce a card that will react the same way to the challenge that came from the reader, thus the cloned card cannot produce the correct CVV. The bank is responsible for detecting the incorrect CVV and rejecting the request from the cloned card.
Not all the systems in use today are perfect. Researchers (and criminals) have figured out several attacks. Some cards are inherently insecure because they use weak encryption (such as the MiFare cards often used in transit systems.) Some cards have had their secret keys read by using side channel attacks, such as power analysis or timing analysis. Some have been examined using ion beam microscopy, revealing the bits containing the secret keys. And some banks did a poor job initially implementing their secret keys such that they didn't validate the CVVs correctly.
Once a system is properly implemented, chip cards are very very difficult to clone, whether they be NFC read or inserted into a chip reader.