Payment data should not come into touch with your system. This is very important with credit card data. Certification according to the PCI standard is not necessary only if the card data does not come into touch with your systems. Sensible payment data should be removed from the form after checking and processing via the client API (see below) in order to not have contact with your systems. Any other data can be queried in preceding steps.
This mode is also known as “direct post”. The input fields are placed on the merchant payment page and not provided by PAYONE. Therefore the merchant needs to comply with PCI DSS SAQ A-EP certification if the full creditcard number (PAN) is processed (using the pseudocardnumber with “direct post” (e.g. to ask the customer for CVC) is fine).
To be SAQ A compliant PAYONE recommends implementation of the PAYONE hosted-iFrame-solution when processing the full original creditcard number (PAN).