Database encryption or application level encryption?

Question

When you need to store sensitive data such as CCs or SSNs, do you:

1) Build your own encryption routine within the application, define a secret key somewhere in a config

Answer 1

Being PCI-DSS Compliant does not remove your legal liability...

Currently there are only two states which provide such an exemption: Washington & Minnesota...

DBA's Promoting TDE as a PCI-DSS solution BEWARE!

TDE only protects data at rest, not data in transit or data in memory... Anybody whom has read access can read the all the data with any tool...

IMHO TDE is good when combined with a robust Application level encryption solution... As a stand-alone solution using TDE alone, it is a ticking time-bomb that the PCI QSA's buying it off as PCI-DSS Compliant have failed miserably to take note of... Wait till the lawyers get a grasp on this fundamental flaw...

Any security guru will tell you layers of security is the best approach....