My 2 cents...
The url of EBS is available only to known users/employees.
What is the worst scenario if someone hacks into EBS system. This depends on ur business. Is your appln more of
financial data or manufacturing or what type...
Try to create some virtual desktop and give access from their to users.
Another way is give a public url which is dynamic and change every day so that only
few will know the url and access through it. Direct url acccess outside network/vpn is prevented.
VPN should be able to handle the load unless the internet/network is very slow.
So installing free openVpn can be the solution right? Or RDP connection on a Windows Server?
I wonder what hackers would like to hack into our EBS?
Like you mentioned, credit card information is just one example, depending on modules your ebs is running, there can be many other such examples like payroll data, monthly sales information, etc that can be sold to your client's competitors to disclose business strategy.
OpenVPN is very simple to setup with Endian Firewall, and the traffic is encrypted.
OpenVPN Server Setup & Configure with EFW Firewall
How to setup OpenVPN on an Endian Firewall