I put some time into thinking through this design, and I am realizing that the right question to be asking here is probably more along the lines of "Why am I storing this data at all?" instead of looking for the best way to store it, given the sensitive nature of the data. Are there users who will be looking at this after each transaction is completed? why are you even taking possession of a credit card number at all, after the customer swipes their card you shouldn't need to retain that information I wouldn't think, and I would say keeping it in any form presents more risks than not. Will this data be queried later on, and in what way? by individual transaction, or in aggregate?

I understand it may not be your place to question the requirements you were given, but I think at least a little push back is warranted...it just seems strange that you would want or need to retain this kind of data about your customers.

I've worked at a bank for 12 years and have seen the security requirements evolve from barely existent, to on site Treasury department audits occurring every 90 days (its a big bank), so now when someone tells me they need a list of account numbers I make sure they have a damn good reason.