Comment by Mordisquitos

I'm making the point that I work in a department that develops a payment platform for a variety of retailers and has to perform non-trivial integrations with a broad range of PSPs worldwide, covering all sorts of payment flows, including cases in which the PSP itself has had to do new development on their end to cover use cases that they had never come across before. And yet, we do not at any point pass the card details through the API to the PSP.

The input of all payment method data by the customer takes place either in PSP-hosted fields, on an iframe of the PSP front-end, or via a PSP-provided SDK or drop-in UI, in such a way that our software never sees the introduced data. All we see are the sanitised details (card type, BIN, and last 4 digits) that the PSP then sends to us.