Does PCI DSS apply to a merchant that stores only truncated cardholder data (PAN)?
A truncated PAN, consisting of the maximum of the first 6 and the last 4 digits, is not considered cardholder data per PCI DSS. If the merchant only stores truncated PAN, and does not store, process, or transmit the full PAN, then PCI DSS would not apply to this merchant (except for requirement 12.8, which is between the merchant and their service providers). Keep in mind that if a merchant stores any paper receipts, reports, etc., with full PAN, this is also considered storage of PAN per PCI DSS. PCI DSS does not apply to a merchant that does not electronically store, process, or transmit full PAN data OR store such data on paper receipts, reports, etc. However, PCI DSS (and SAQ A) does apply to a merchant who stores full PAN on paper, even though they’ve outsourced all electronic storage, processing, and transmission of cardholder data to a third party and only electronically store truncated PANs.
