The logical consequence of these two requirements is that the temporary display permitted by (2) may not be output from the module. It must be a display of data that has not yet entered the module.
The boundary of a cryptographic module does not have to be fully defined in physical terms: it needs to define a physical perimeter, but can exclude subsystems defined in logical terms (provided that these subsystems have no impact on the cryptographic operation). A typical definition of a cryptographic module that allows key entry with echo would exclude the part of the system that provides the local echo. When certifying a whole device, this can be done by defining the physical boundary as the device, but defining the logical boundary in a way that excludes the user interface.
At levels 3 and above, a physically separated port or trusted path is required for key entry. This can be, for example, a keypad device, which may have its own local display; that display is allowed to echo keys that the user is typing in, but if it does that then it must not be used to display data output. A trusted path could be, for example, a window that is protected from snooping, and that echoes what the user is typing, but does not display output from the cryptographic processor at any time.