I have a credit card base transaction feature in app and the app is powered by our node js backend talking over HTTPS. We are using Client SDK for generating card token that is sent to our back end server which will send the token along with other details to payment gateway using Server SDK in order to charge the customer. After successful transaction, I am receiving good details along with BIN number and last 4 digits of credit card as response from payment gateway on server side.On client side we are using Card.IO SDK to collect Credit card details like 16-digit number, CVV and Exp. MM/YY. My question is - if I pass BIN number (first 6 digits of credit card) and last 4 digits of credit card along with card token to my server for actual transaction, will subject to any violation of PCI compliance? I would greatly appreciate any online citation or references in the context of your advise or conclusion.
Sending a truncated PAN (at most the first 6 digits and last 4 digits of the cardnumber) would keep your back-end server out of scope for PCI-DSS (source),
The application that has access to full card data usually comes under scope for PA-DSS certification, however for mobile apps (which are not solely for performing card payments) - these can be excused
See the PA-DSS checklist for more information: https://www.pcisecuritystandards.org/documents/which_applications_eligible_for_pa-dss_validation.pdf