What I am doing is developing a financial software and connect it to a third party credit card company which is pci compliant. Our company is a Canadian company. We are not pci compliant and not planning to be pci compliant. But we want to save last 4 digits of PAN to help front line staff identify.
If I ONLY save the last 4 digits of PAN,client name,expiry date and PRN, do I have to be PCI Compliant? If I have to, what about if I ONLY save the last 4 digits of PAN with PRN, do I have to be PCI Compliant?
I read the PCI DSS documentation. It only said I have to be pci compliant if I save the PAN, but didn't say if I only save the last 4 digits.
Thank you.