From a PCI Compliancy perspective, storing only the first four, last four in plain text is fine. PCI actually allows plain text storage of the first six digits (this is known as the IIN or Issuer Identifier Range), and last four digits (the very last digit is a checksum).
These are similar to the standards for printed receipts, which allow the first six and last three digits to be printed.
Your question does understandably ring alarm bells though. If you (or your systems) have access to the full card number, then you are in the scope of PCI-DSS. Monitoring and maintaining compliance can be time consuming and costly, especially where your compliance must be verified by a third party QSA (Qualified Security Assessor).
The better approach then would be to use a payment gateway that is already PCI compliant. They would be able to perform the card authorization/settlement and return to you a token id and/or a hash of the card number which is safe to store in your database.