Your reply helped me to understand more about Square’s tokenise process, which led me to find this: Even if the CVV of the credit card is wrong, a token can be generated, is this correct behavior? - #2 by Bryan-Square
So basically, the card tokenisation generated from Square’s card web form will tokenise both valid AND invalid cards. It’s not until the cards API step that the card details are truly validated. Is that correct?