On a segmented network, a seperate interface on each server is connected to a seperate network used only for backups. The data is sent in a format that is only readable by the backup server, which is located on the other side of the internal firewall on another network segment. Yet, this data, which includes PAN, technically is not encrypted.

How would this situation be handled in meeting PCI requirements for protecting card holder data?

Thanks for your replies.

Lee

Consider the backup network in light of the compensating controls described in one of the appendices (Appendix A, I think).

PAN informaiton can be sent across the network unencrypted so that is not the problem. The problem is that each server is connected to the same network. If access control lists (ACLs) are applied such that they only enable the servers to send data to the backup server, and not vice versa, then you should be ok.

If the backup server can talk to each server on the network and they all talk to it, you could have an issue. Not knowing all the details it's hard to provide feedback. I would consult your QSA for assistance on this.