In our application, we only transfer cardholder data to a PCI DSS compliant service provider, and don't store it ourselves. We only store first four and last four digits of credit card number for future reference:
1234 **** **** 1234
We have a lot more than 300k transactions annually, so our SP required us to fill a SAQ form, but even they are not sure which one to fill in. We are in between SAQ D (which definitely seems overkill) and SAQ A-EP. Any thoughts?
We collect the info on our website. We get the information on a form, which we post it to our backend. Then, the backend transmits the cardholder info to the PCI compliant SP, and only stores the above mask in the db.
Unfortunately for you, because the card data crosses your server (regardless of what you're storing), you're subject to the full SAQ D. This document provides a good overview of the various levels and their requirements.
Both SAQ A and SAQ A-EP require:
Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions
Posting the card data to your backend server which then sends it on to the service provider means that you do "process [and] transmit cardholder data on your systems". If your server gets compromised in any way (such as Heartbleed), the attacker would then have access to that card data. Thus the higher SAQ level, and all the extra precautions that go with it.
Ideally, you would be able to rewrite your system to post directly from the web page to the service provider, without anything coming back to your server. They ought to be able to provide you with a masked card number in their response, for you to store, but you can also probably just post the masked data back to your server along with their response. You just need to make sure the full data doesn't come back, if you want to qualify for A-EP.
External links referenced by this document: