The Application Programming Interface (API) security framework, which is based on widely available European or international security standards, lists the minimum security-related requirements applicable to the Verification Of Payee (VOP) scheme participants, as well as to the SEPA Request-to-Pay (SRTP) and SEPA Payment Account Access (SPAA) scheme participants using APIs, regardless of whether they rely on the default European Payments Council (EPC) API Specifications or on other API specifications.
The VOP, SPAA and SRTP schemes were designed to use APIs for the communication between scheme participants. Although there are some differences relative to how these schemes operate, they are sufficiently similar as messaging schemes to allow to define a common API security framework. In this context it is to be noted that specificities related to the abovementioned schemes are described in a dedicated annex.
This framework will become mandatory as of 5 October 2025 for the VOP, SRTP and SPAA scheme participants when using APIs.
After the launch of the VOP scheme, the VOP WG identified some urgent change requests needed either to solve issues that arose from the deployment of the VOP service, or to clarify some parts of the VOP scheme rulebook, the API specifications and the API Security Framework (ASF).
Following a public consultation on these urgent change requests, the EPC is launching the version 2.1 of the API Security Framework (ASF) which includes additional clarifications on the use of the certificates for the VOP scheme.
This framework will become mandatory as of 20 September 2026 for the VOP, SRTP and SPAA scheme participants when using APIs.