I have set up encryption within a 2005 database for the purposes of protecting credit card information in a single column with a table.
There is an application sitting on a separate machine which accepts user input and then calls a stored procedure in the SQL database to encrypt the data.
My question, and it may sound simple/obvious, is this:
Will the credit card number be transmitted in clear text to the database at which point the application will encrypt it, or is the data encrypted within the application and then transmitted to the database encrypted?
It is quite a subtle point but very important from a PCI-Compliance standpoint.