At first an authentication call is performed on server side. If authenticated, the provider will return an authentication code, that shall be used along the checkout data at form submission, for it to be accepted by the provider.
Shift4 process at form submisison: ajax call (jsonp for external systems) to provider for authorization. If approved, a token is returned. Replace the cc with the token, and submit the form with Checkout Data + token (thus credit card is not stored) within Hybris. @RequestMapping method will perform the placeOrder defined in MultiStepCheckoutController (Converting CartModel to OrderModel, and creating payment subscription)
Ask me for more information, this was a personal experience from SleepNumber.