To begin with, to reduce the risk of stealing the database, you may wish to store the encrypt/decrypt key elsewhere on the computer. A very simple solution would be to store it in the registry. A more complicated solution would be to use the CryptoAPI to store certificates elsewhere.
For future reference, you'll want to read about PCI-DSS, which are the industry standards for handling credit card information. One decent book on the subject is this one.
