APIs have become a primary target for hackers looking for logic flaws that can provide direct access to sensitive data. All security frameworks start with a risk assessment and require regular vulnerability and penetration testing of both networks and applications. However, few compliance regulations specifically mention API testing. We will review various security compliance regulations and frameworks such as PCI DSS and SOC 2 and share how APIs are currently covered by security testing requirements.