[stephenr]

Every interpretation I've seen about PCI DSS is that any server that credit card data is passed to (whether it stores it or simply re-transmits it) is required to meet some aspect of the policy. Obviously if you aren't storing the data, the rules about storage don't apply... but:

You also need to consider things such as: if the process crashes, does it produce an error log or exception trace with the request information?

Given that Payum is written in PHP and uses the Symphony HTTP Request class, let's consider that in 5.6+, fopen('php://input') (i.e. read the request body) can cause a temp file to be created with the contents of the request body stored in it.

So even if you don't intend to store the request, the underlying technologies often store data transparently (albeit temporarily).