The Application Programming Interface (API) security framework, which is based on widely available European or international security standards, lists the minimum security-related requirements applicable to the SEPA Request-to-Pay (SRTP) and SEPA Payment Account Access (SPAA) scheme participants using APIs, regardless of whether they rely on the default European Payments Council (EPC) SRTP related API Specifications or on other API specifications.
The SPAA and SRTP schemes were designed to use APIs for the communication between scheme participants. Although there are some differences relative to how both schemes operate, as well as a difference in maturity between both schemes, they are sufficiently similar as messaging schemes to allow to define a common API security framework. In this context it is to be noted that specificities related to the abovementioned schemes are described in a dedicated annex.
This framework will become mandatory as of 30 November 2023 for the SRTP and SPAA scheme participants when using APIs.