It is not possible to decrypt the data without knowing the secret key. A dictionary attack is not possible either because the dictionary would entirely depend on the key. However, it is worth keeping in mind that if an adversary obtains the key, he can decrypt the whole database.
There's no need to pad the plaintext with random data, because the initialization vector does basically the same thing.
However, there are many important requirements and regulations for storing and handling card data. Not properly adhering to them may leave you open to various legal threats or other expensive sanctions. Rather than risking that, many choose to leave all the complex stuff to a payment processor.