Comment Re: 3des (Score 1) 213
Yes, the key is needed to encrypt, but the encrypted PIN block is already encrypted by the card embosser on behalf of the bank. If the merchant passes along the encrypted PIN block as sensitive authentication data to the processor for authorization, the merchant has no need to decrypt.
This, unfortunately, makes the encrypted PIN block more of a password than encrypted data. Cloning cards is still quite possible.