This document describes the security standards to be applied to Application Programming Interfaces (APIs) and communications for PSD2 Access to Account (XS2A)
It assumes that APIs are the only method of XS2A access and communications for Account Servicing Payment Services Providers (ASPSPs) and Third Party Providers (TPPs). It also covers the use of websites and User Interfaces (UIs) by ASPSPs to facilitate TPP discovery and setup of access.
Adapted Payment Service User (PSU) interfaces or other methods of X2SA have not been considered.
This document is aimed at the following audiences:
- Account Servicing Payment Services Providers (ASPSPs)
- National Competent Authorities (NCAs)
- Third Party Providers (TPPs)