Which PCI SAQ Should You Fill if You Only Store First Four and Last Four Digits of Credit Card Numbers?
Unfortunately for you, because the card data crosses your server (regardless of what you’re storing), you’re subject to the full SAQ D. This document provides a good overview of the various levels and their requirements.
Both SAQ A and SAQ A-EP require:
Your company does not electronically store, process, or transmit any cardholder data on your
systems or premises, but relies entirely on a third party(s) to handle all these functions
Posting the card data to your backend server which then sends it on to the service provider means that you do “process [and] transmit cardholder data on your systems”. If your server gets compromised in any way (such as Heartbleed), the attacker would then have access to that card data. Thus the higher SAQ level, and all the extra precautions that go with it.
Ideally, you would be able to rewrite your system to post directly from the web page to the service provider, without anything coming back to your server. They ought to be able to provide you with a masked card number in their response, for you to store, but you can also probably just post the masked data back to your server along with their response. You just need to make sure the full data doesn’t come back, if you want to qualify for A-EP.