Using encryption alone doesn't solve the credit card problem. The auditor should be asking about split knowledge/dual control of the key - I think its in section 3.6 of the PCI standard. It depends on the auditor, but many will not sign off on the technique you're using for key management. PCI also requires an annual key change, tracking of retired and destroyed keys, etc, etc. Better to encrypt than not, but just doing encryption won't guarantee PCI compliance and it won't guarantee that your data can't be compromised if someone gets access to the database.