If we transmit 16 digit card number from a service provider to my application then PCI DSS is applicable.
But if we use (transmit/store) only the first 6 and last 4 digits of the card number and expiration date, then are we required to comply with PCI DSS?
From a PCI DSS standpoint it is not considered "Cardholder Data" unless it includes the full Primary Account Number (the 16 digit card number) so if that never touches your systems then they are indeed out of scope.
If you are looking at it beyond purely PCI then I would look at whether you actually need that much - transmitting/storing the first six and last four leaves only 10,000 possible combinations to get the "full" PAN, there is still some work to go from there to get sufficient details to "steal" the card but unless you have a specific reason for needing that much of the PAN why do it?
If you accept credit cards as payment, you must comply with PCI DSS. How you accept credit cards determines at what level. For instance, if you have a swipe terminal that connects to a POTS line and none of it touches your network, you are still required to abide by PCI and do a Self Assessment Questionnaire. Each SAQ begins with a section that reads "Before you Begin" that walks you through which one fits.
PS If you fully outsource the processing of credit card data to a 3rd party, you still must complete an SAQ-A report.
No. A truncated (ie first 6 last 4 only) PAN does not need to be protected by PCI DSS. (I once was a QSA).
There's a really clear FAQ on the PCI SSC website: https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS
