[stephenr]

There is a reason "modern" payment processor services use JavaScript or an iframe or a redirect for payments:

It means the credit card details are never sent to your server, so you are not required to meet the full terms of PCI Compliance on your server

[makasim]

Not sure I get you. About PIC DSS. PayumServer do not store any sensitive info anywhere, even in the http session. It is passed through the server to a payment gateway. PayumServer uses iframe or javascript solution (which you mention above) if a payment gateway supports it. For example Stripe.Js supports it and PayumServer reuse this feature.

[stephenr]

Every interpretation I've seen about PCI DSS is that any server that credit card data is passed to (whether it stores it or simply re-transmits it) is required to meet some aspect of the policy. Obviously if you aren't storing the data, the rules about storage don't apply... but:

You also need to consider things such as: if the process crashes, does it produce an error log or exception trace with the request information?

Given that Payum is written in PHP and uses the Symphony HTTP Request class, let's consider that in 5.6+, fopen('php://input') (i.e. read the request body) can cause a temp file to be created with the contents of the request body stored in it.

So even if you don't intend to store the request, the underlying technologies often store data transparently (albeit temporarily).