The Application Programming Interface (API) security framework, which is based on widely available European or international security standards, lists the minimum security-related requirements applicable to the Verification Of Payee (VOP) scheme participants, as well as to the SEPA Request-to-Pay (SRTP) and SEPA Payment Account Access (SPAA) scheme participants using APIs, regardless of whether they rely on the default European Payments Council (EPC) API Specifications or on other API specifications. 

The VOP, SPAA and SRTP schemes were designed to use APIs for the communication between scheme participants. Although there are some differences relative to how these schemes operate, they are sufficiently similar as messaging schemes to allow to define a common API security framework. In this context it is to be noted that specificities related to the abovementioned schemes are described in a dedicated annex.

This framework will become mandatory as of 5 October 2025 for the VOP, SRTP and SPAA scheme participants when using APIs.

Document download