Sky's new pairing doesn't introduce any significant differences to the existing NDS data, that data is still encrypted so only a genuine card can decrypt it, but what it does do is add an additional layer of encryption between the box/card to prevent their cards from being used in card servers like oscam or CCcam (what your c line uses to decrypt channels).

A new HD box running the latest firmware is able to take the incoming NDS data [ECMs/EMMs] from the MPEG (video) stream and further encrypt it before sending it to the card.

An old HD box (or an SD box) just continues as it did before, extracting the NDS data from the MPEG stream and feeding it to the card.

This design allows Sky to alter NOTHING to the existing NDS code, which is essential to (a) prevent loggers/hackers from running comparators over logs from the then/now data streams and (b) allow older boxes to work as before.

Remember, the change has NOT happened at the NDS level, it has happened at the firmware level of both the new HD boxes and the existing cards.

It's the boxes that are instructed to use the pairing algorithm [or not] for a particular channel(s) [or more accurately, entitlement group/level]

If you place a card in a new HD box, the card will be instructed to accept the newly encrypted data using the Sky box's pairing key...

If you then move the card back to oscam, it will continue to expect that encrypted data for that channel(s) and try to decrypt it...
Of course, as the incoming data is NOT encrypted (coming from oscam for example) you'll get nothing worthwhile back..

So what happens when you put a card back in oscam or put it back in an SD box or an old HD box and leave it..?
If the card is unable to verify it's running in a new HD box [after x amount of time (or cycles) or following a new install/pairing process], it reverts back to the original system we all know and love, which is of course easy for most to share.
[I'm sure their lawyers have reminded Sky not to enforce a blackout on paying customers for fear of prosecution or maybe Sky have acknowledged some people may use their own older boxes in the event of a failure..]

How long Sky allow the card to revert back on the other hand is the question most pay servers should be considering..

[...]

Here's a quick overview of both the old and new data exchange:

Current:
ECM/EMM Data is fed to the box via the MPEG stream, it then passes it to the card for a response.

New:
ECM/EMM Data is fed to the box via the MPEG stream, it then further encrypts the data using a pairing key before passing it on to the card. The card decrypts this in order to then decrypt and process the original ECM/EMM command. The reply is then encrypted [again using the pairing key] and sent back to the box, which then decrypts and executes it.

Both the original ECM/EMM data and the reply have not changed, the only thing that has changed is the way the data was exchanged between the box and the card..