PCI Encryption Practice Flawed due to the Banks?

I’m no PCI auditor, but I am involved in helping a business reach PCI DSS compliance. On the encryption front, the PCI standard requires cardholder data to be stored in an approval PCI encrypted format on the backend database. In addition to this, PCI has a big focus with the database encryption key management, ensuring the private key is not known in full by a single person etc. I don’t have any issues with this despite good key management being a real pain to implement, it all makes good security sense, but here’s my observation and big issue with the PCI encryption requirements.

When the merchant sends the cardholder data to the bank for the card payments to be processed, the cardholder data is exported from the database unencrypted and sent to the bank in an unencrypted format, sure it’s over a point-to-point private connection, but wasn’t whole PCI point to prevent the cardholder data from being readable on the database Server? The bank payment process is a requirement of the bank, who can only accept the card payment in an unencrypted format. I see a potential threat from an inside attacker to capture significant clear text cardholder data by intercepting this payment process.

I don’t whether this is already a commonly known PCI issue, or just an issue with UK banks, or whether it's just with a specific “big named” UK bank, but when I addressed a professional PCI auditor with this concern, he didn’t give much of response and just stated it wasn’t the first time he’d been asked about it.

For me, it appears to be a significant hole with the PCI encryption practice, especially as the database encryption is what most PCI auditors appear to care about the most, PCI auditors just love to go on (and on) about “Key Management”. It certainly would be interesting if this was a general problem with the banks, who sit in their ivory towers carrying significant weight on the PCI board and setting out the PCI standards, but when it comes down to them actually spending the money on improving cardholder security themselves, they just aren’t doing it, hardly a balanced and fair approach, is it?