Restricting queries by the presence of a WHERE clause

I'm working on building a system for storing customer credit card details
for reuse in an ecommerce system. The present design involves keeping the
shopping cart details, products, orders and mundane customer details in
one database, and the specific credit card details in another, more
heavily restricted database.

The heavily restricted database is only accessable from another machine
running the secure web server. Periodically customers will enter their
credit card details into that database via forms, and they will need
access to keep it up to date. They access their record via a
username/password combo that maps to a unique customer_id, which was
generated randomly from a pool of 2^92 possible combinations.

No problems so far, until some black hat gets root on the secure web
server. This doesn't necessarily imply they can get root on the database,
but it does mean they have the same access as the web server had, so the
can basically grab all the credit card details with one select query.

What I'd like to be able to do is have the database drop any SELECT,
UPDATE or DELETE queries unless they have something fairly specific in
their WHERE clause. As there are no SELECT triggers, I guess it will have
to involve rules, but it doesn't look like any of them can alter or act on
what's in a WHERE clause. How deep am I going to have to hack to get this
sort of functionality working?

[And, no, limiting won't help either :-( They can just loop around a query like
this: select * from customers where primary_key_field not in
(list_of_previously_seen_keys); ]

TAI,
John