In our application, we only transfer cardholder data to a PCI DSS compliant service provider, and don't store it ourselves. We only store first four and last four digits of credit card number for future reference:
1234 **** **** 1234
We have a lot more than 300k transactions annually, so our SP required us to fill a SAQ form, but even they are not sure which one to fill in. We are in between SAQ D (which definitely seems overkill) and SAQ A-EP. Any thoughts?
Update:
We collect the info on our website. We get the information on a form, which we post it to our backend. Then, the backend transmits the cardholder info to the PCI compliant SP, and only stores the above mask in the db.