Cards
APMs
Chargeback Management
Subscriptions
Antifraud
Tax
Pricing
Documentation
API Reference
Support
Status Page
Blog
Glossary
Payment Page demo
If you’re in the payments industry or run a business that relies on digital transactions, you’ve probably heard about the Payment Services Directive (PSD). It’s the EU’s framework for regulating payment services and providers. The most recent version, PSD2, brought big changes to how payments are handled but also raised plenty of questions and challenges.
Now, PSD3 is on the horizon. It promises to fix some of PSD2’s shortcomings while setting the stage for a more secure, innovative, and unified payments ecosystem.
Here’s a breakdown of what’s happening, what’s new, and how it impacts merchants.
Table of Contents
Why is PSD3 happening?
PSD2 had its wins, like introducing Strong Customer Authentication (SCA) and opening the door to Third-Party Payment Providers (TPPs). But let’s face it, implementation wasn’t smooth. Rules weren’t applied consistently across EU member states, and businesses struggled to adapt.
PSD3, together with the new Payment Services Regulation (PSR), is designed to fix these issues. By creating a unified and predictable framework, PSD3 aims to:
- Improve the efficiency and security of electronic payments.
- Simplify compliance for businesses operating across the EU.
- Encourage innovation and competition in the payments market.
PSD2 vs. PSD3 differences: High-level view
PSD2 introduced groundbreaking features like Strong Customer Authentication (SCA) and opened the door to Third-Party Payment Providers (TPPs). But let’s face it—these changes were a headache for many businesses. SCA, for example, added layers of security but also created friction in the checkout process, which, in many cases, frustrated customers and increased cart abandonment rates.
PSD3 builds on these foundations while addressing the gaps. Unlike PSD2, PSD3 emphasizes a unified regulatory framework for payment service providers (PSPs) with more streamlined rules, ensuring consistent application across the EU. It also enhances SCA with greater flexibility and inclusivity, introduces more robust fraud prevention tools, and strengthens open banking by requiring standardized APIs and greater transparency from banks.
On top of it, PSD3 explicitly clarifies exemptions and redefines the Commercial Agent Exemption, removing ambiguities that previously allowed some businesses to operate without appropriate licensing.
Key features of PSD3
Stronger customer authentication
SCA, introduced under PSD2, required two-factor authentication for most online payments. While effective for fraud prevention, its rigid implementation often adds friction for customers and often results in churn. PSD3 refines these rules:
- Flexibility: Merchants can now use two factors from the same category (e.g., a token and SMS OTP) rather than being restricted to different categories (e.g., knowledge and possession).
- Accessibility: SCA must accommodate vulnerable populations, such as those without smartphones or with disabilities. This inclusivity ensures a smoother experience for all customers.
Exemptions: Specific scenarios are exempt from SCA, including:
- Merchant-initiated transactions (MITs), such as subscription renewals after the first authenticated payment.
- Mail and telephone orders (MOTO).
- Tokenized transactions, where SCA is only required for cardholder-initiated actions like enrolling a card in a digital wallet.
These updates make security less of a barrier and more of an enabler for seamless transactions.
Better fraud prevention
PSD3 strengthens fraud prevention by requiring businesses to share more customer data with issuers, such as location, spending patterns, and transaction history. This data-sharing approach allows PSPs to detect and prevent fraudulent activities more effectively without requiring explicit user consent under GDPR when strictly used for fraud prevention.
Merchants can expect higher authorization rates and fewer false declines, but they must also ensure their systems are equipped to handle these data-sharing requirements.
Open Banking upgrades
Open Banking has created opportunities for innovative payment services, but PSD2’s uneven implementation led to challenges like inconsistent API quality and unclear metrics. PSD3 addresses these issues with:
- Custom interfaces: PISPs (Payment Initiation Service Providers) and AISPs (Account Information Service Providers) can build tailored connections with banks.
- Standardized APIs: Banks must now implement consistent APIs and share performance metrics like availability and response times.
- Downtime solutions: Even during outages, banks must maintain third-party access to their systems, reducing disruption to merchants.
Additionally, a new Customer Permission Dashboard gives users more control over their financial data, including the ability to revoke access easily.
Commercial Agent Exemption
Under PSD2, confusion around the Commercial Agent Exemption allowed some e-commerce platforms to bypass licensing requirements. PSD3 clarifies this by specifying that platforms acting as agents for both buyers and sellers cannot offer payment services without a license unless they meet strict conditions. These rules ensure fair competition and protect consumers from potential risks.
Access to payment accounts
PSD3 levels the playing field by granting Payment Institutions (PIs) and Electronic Money Institutions (EMIs) access to central payment systems like TARGET2. This privilege, previously limited to banks, opens up new opportunities for non-bank entities to compete in the payments market.
Transparency for consumers
PSD3 introduces stricter requirements for transparency, ensuring users have clear insights into their payments:
- Currency conversion costs: PSPs must provide detailed estimates for cross-border payment fees.
- Detailed statements: Payment account statements must clearly identify payees, reducing errors and fraud risks while enhancing customer confidence.
What do PSD3 changes mean for merchants?
Clearer regulatory framework for TPPs
Under PSD2, the regulatory landscape for TPPs was anything but straightforward. The lack of clear and consistent rules across EU member states created barriers to their ability to operate in different member states and hindered the development of new and innovative payment services.
PSD3 aims to clarify the regulatory framework for TPPs, making it easier for them to operate across different member states. This could benefit merchants by providing more options for accepting payments and improving competition in the payments industry.
PSD3 is also expected to promote the development of new and innovative payment services. This could create new business models that benefit both merchants and consumers. However, it remains to be seen how the regulatory framework for TPPs will be clarified under PSD3 and what impact this will have on merchants.
Better security measures
Security is a double-edged sword in the payments world. It’s essential for protecting both merchants and customers, but stringent security measures can sometimes add friction to the user experience.
PSD3 seeks to improve this balance by introducing more effective and user-friendly security measures to replace or enhance SCA. Potential updates include:
- Biometric authentication: Using fingerprints, facial recognition, or voice identification to verify customers swiftly and securely.
- Tokenization: Replacing sensitive payment details with unique tokens reduces the risk of data breaches and fraud.
Potential cost of implementing PSD3
One of the concerns that merchants have about the PSD3 directive is the potential cost of implementing the changes. PSD2 was costly for merchants to implement due to the requirements for SCA, and it is unclear whether the new security measures under PSD3 will be any less costly.
The potential costs of implementing PSD3 include:
- Technology upgrades: If PSD3 mandates biometric authentication or tokenization, merchants may need to invest in new hardware or software to support these capabilities.
- Increased transaction fees: Payment service providers may pass on the costs of updating their infrastructure, leading to higher transaction fees for merchants.
- Training and support: Merchants may need to allocate resources to train staff about new systems and provide customer support during the transition.
Impact on customer experience
PSD3 could also have implications for the relationship between merchants and their customers. If the new security measures are too cumbersome or complicated, it could lead to frustrating and alienating customers. Merchants may need to invest in educating their customers about the new security measures to avoid any negative impact on customer experience.
When does PSD3 come into force?
Right now, the PSD3 directive is in the works, and the timeline isn’t set in stone. What we do know is that once it’s adopted—likely in 2025—businesses will have 18 months to get their systems in line. That puts the compliance deadline somewhere in 2026 or early 2027.
The big picture & next steps
PSD3 represents a major step forward for payments in the EU. By addressing PSD2’s challenges, it aims to strike a better balance between security, usability, and innovation.
For merchants, this means more competition, better fraud prevention tools, and new opportunities to expand their payment options. But it’s not all sunshine—adapting to these changes will take time, effort, and money.
Here’s how you can prepare:
- Audit your systems: Identify areas you need to update to comply with PSD3.
- Budget for changes: Prepare for potential costs like new hardware or software.
- Educate your team and customers: Start planning resources to help your team and customers adapt to new security measures.
- Stay informed: Monitor updates from the European Commission and your PSPs to stay ahead of deadlines.
If PSD3 can deliver on its promise to streamline payments without adding unnecessary friction, it has the potential to transform the industry for the better. And that’s something worth keeping an eye on.
