How could you possibly defend against a malicious merchant? They can just have a video camera pointing at the terminal, no amount of encryption would defend against that.
The first few transactions would probably go through, but then some people would notice and report strange transactions. I was told by someone working in that industry that credit card companies would figure out who's the source and cut them off / sue them if it was malicious. I'm not sure if that kind of data mining / correlation is common - I'd really like to hear some details / other confirmations.
