PSD3: What do you need to know?

The Payment Services Directive 3 (PSD3) is the latest revision of the European Union’s payment regulations, building on the foundations set by PSD2. PSD3 aims to further harmonise rules across the EU, ensure a fair environment for payment service providers, and enhance consumer and fraud protection.

Although the final rules are not expected to come into effect before 2026, it’s crucial for platforms, marketplaces, and other stakeholders to start preparing for these critical changes. This guide provides an overview of the upcoming adjustments to help you navigate Europe’s evolving payment landscape.

What is PSD3?

PSD3 is a European Union directive focused on regulating non-bank payment service providers (PSPs) and enhancing the overall security and efficiency of payment systems within the EU. The directive aims to protect consumer rights, secure personal data, and promote fair competition among payment service providers. As a directive, PSD3 requires transposition into the national laws of EU Member States, ensuring a consistent application of rules across the region.

What’s changing from PSD2 to PSD3?

While PSD2 laid the groundwork for more secure and innovative payment services, PSD3 brings several significant changes to enhance these aspects further:

Strengthened Strong Customer Authentication (SCA)

PSD3 introduces stricter requirements for Strong Customer Authentication (SCA), crucial for verifying users’ identities during electronic transactions. The directive mandates that businesses provide issuers with more detailed environmental and behavioural data, such as user location, transaction time, and device information, to better assess transaction legitimacy and reduce fraud.

Expanded responsibility for fraud

Under PSD3, responsibility for fraud shifts more towards payment service providers if they fail to implement SCA properly. This includes specific provisions for handling “spoofing” fraud cases, where attackers impersonate bank representatives to deceive customers. This change is designed to encourage higher security standards across the industry and provide better protection for consumers.

Broader scope of open banking

PSD3 builds on the open banking principles established by PSD2, enhancing the scope and detail of data sharing between banks and third-party providers. It requires financial institutions to provide more transparent and detailed performance data on their APIs, such as availability and response times. This increased transparency helps businesses make informed decisions about their payment processing partners and fosters a more competitive environment.

New transaction exemptions

The directive introduces exemptions to SCA for certain types of transactions. For example, merchant-initiated transactions (MITs), such as subscriptions, now only require SCA for the initial payment. Other operations, such as mail orders and telephone orders (MOTO), will also have exemptions, which are particularly useful for sectors like the travel industry.

Increased accessibility requirements

PSD3 mandates that Strong Customer Authentication must be accessible to all consumers, including those who are elderly, have disabilities, or are not digitally savvy. To ensure inclusivity, alternative authentication methods must be provided that do not rely solely on digital or smartphone technology.

Integration of digital currencies and new technologies

PSD3 addresses the growing relevance of digital currencies and other emerging payment technologies. It includes provisions for integrating these innovations into the regulatory framework and setting guidelines for their safe and transparent use.

How will PSD3 affect stakeholders?

Consumers

Consumers will benefit significantly from PSD3’s enhanced security measures, which reduce the risk of fraud and ensure clearer information about fees and transaction processes. The directive also supports greater control over personal financial data, potentially leading to more personalised and efficient financial services.

Businesses

For businesses, especially those in the e-commerce sector, PSD3’s stricter security measures can enhance customer trust and reduce fraud-related losses. The expanded open banking framework also allows businesses to offer more diverse and innovative payment solutions, which can improve customer experience and operational efficiency.

Financial Institutions and PSPs

Financial institutions and PSPs will need to upgrade their systems and processes to comply with the new regulatory requirements under PSD3. This includes enhancing their data security measures, refining their SCA processes, and ensuring compliance with the new data-sharing rules. While these changes may involve significant investment, they also open up opportunities for innovation and improved customer service.

How Payop will adapt to PSD3

PSD3 is currently scheduled for introduction around 2026. At this time, the information regarding changes is quite general and there are no specific legal requirements regarding how processes need to be developed. Payop currently meets the European Union’s standards for customer security, fraud prevention, and data protection.

We will actively monitor changes and updates on the EC website and as soon as specific requirements for the upcoming directive are published, we will conduct an internal audit for compliance and, if necessary, update processes, as well as internal policies and procedures.

You can learn more about Payop security measures here.