PCI DSS Awareness
The Payment Card Industry (PCI) is a Data Security Standard for organizations that deals with the credit cards branded by Visa, MasterCard, American Express, Discover, and JCB. it is the security governance standard that creates baseline and robust security for organizations that do credit card transactions
PCI DSS standard apply to protect cardholder data especially PAN, cardholder name, service code and expiration date and sensitive authentication data found on magnetic stripe or like data on the micro chip present in the credit cards, CAV2/CVC2/CVV2/CID, and PIN/PIN block
It can be addressed in a simple way
if you dont need the credit card data, dont store it
This is tough question. Yes it is in scope. There is always a possibility of decrypting the data using cryptoanalysis, brute force or birthday attacks.
In our view, it does apply to merchants. The merchants are still responsible that card holder data is handled securely and send to third party service providers. The merchants also have to fulfill the requirement 12.8 that requires the merchants to have a written agreement with the service providers that includes the responsibility of service providers to keep the data secure at all cost.
To be eligible for SAQ A, all elements of the payment pages must only originate from PCI DSS compliant service provider(s), and no single element of a payment page can originate from the merchant’s website.
To be eligible for SAQ A-EP, each individual element of the payment page must originate from either the merchant website or from a PCI DSS compliant service provider. If any element of the payment page originates from a source other than the merchant website or the PCI DSS compliant service provider, then the implementation is not eligible for SAQ A-EP. Reference