This is beyond the capabilities of data actions. You will need to develop a middleware service that the data action calls with the necessary data from PureCloud. Your middleware service can then build an appropriately formed request for the external service, make that request, process the response, and send a response for the data action.
Thanks Tim, I was afraid this would be the answer. Unfortunately, along with all the other concerns (availability, performance, etc.) my middleware would be in scope for PCI-DSS compliance.
I'm still pursuing a more static authentication possibility with the bank, but we may also hit a dead end there.
Tim's correct that SHA256 is not in the current data actions toolkit, so the best solution for the moment would be an intermediary service (some serverless function like an AWS Lambda would seem an ideal choice).
Out of curiosity, what payment processor are you connecting to?