“API” is the abbreviation of “Application Programming Interface”. An API is an interface provided by a software application through which actions of the application can be initiated without requiring a traditional user interface.
The application can be contacted by another application with commands or sequences of commands (i.e. scripts) that are similar to source code. This is why the use of an API requires knowledge of the corresponding commands and parameters that the API can process or through which it can output results. The API needs to be distinguished from a binary interface (so-called Application Binary Interface, ABI), which allows the receipt or output of binary data. However, an API can command an application to read, process and/or output data via an ABI. From a security point of view, when operating an application with an API, it must be ensured that access to the API is secured, e.g. by requiring a so-called API key, only allowing access via a secure connection or only from a previously authorized system, etc.
In the area of payments, APIs are often used to integrate payment services in e-commerce solutions, to couple payment services with supplementary services such as online identification/KYC, or with other systems facilitating the processing of payments, e.g. a scoring system. Depending on the purpose of the system, the extent of the integration with the other system, and the criticality of the system addressed by the API for the system of the party that addresses the application by means of the API, different regulatory, data protection or other legal issues can arise, e.g. concerning service levels.
APIs also play an important role in the implementation of PSD2. For example, AIS (Account Information Services) may use the API provided by a bank to request data from the bank’s systems. However, legislators and supervisory authorities have so far only defined general, abstract requirements rather than specific, technical (minimum) requirements for such APIs. This has led to the emergence of several competing API standards. The extent to which this diversity of standards will turn out to be positive (in the sense of competition) or negative (in the sense of an impediment for AIS and similar services) remains to be seen.