We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?
So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
