closeup photo of American Express Business card on brown surface

PSD3 and PSR are Coming

4/10/20254 min read

The European Union's payments landscape is set for another significant evolution. Following the transformative impact of the second Payment Services Directive (PSD2), the European Commission has introduced its successors: the Third Payment Services Directive (PSD3) and the new Payment Services Regulation (PSR). Think of it less as a complete rewrite and more as PSD2.5 – an upgrade designed to modernize the rules, tackle new challenges, and build on what worked.

So, what prompted this update, and how does this new framework differ from the PSD2 we've grown accustomed to?

Why the Update? Building on PSD2's Foundation

PSD2, introduced back in 2018, was groundbreaking. It championed Strong Customer Authentication (SCA) to make online payments safer and mandated Open Banking, forcing banks to open up access (with customer consent) for third-party providers to offer innovative financial services.

However, PSD2 wasn't perfect. Its implementation varied across EU member states, leading to inconsistencies. Open Banking faced hurdles, with the quality and performance of bank APIs (the digital doorways for data sharing) often falling short. Crucially, fraudsters adapted, developing sophisticated scams like Authorized Push Payment (APP) fraud and 'spoofing' (impersonating bank staff) that PSD2 wasn't fully equipped to handle.

PSD3 and PSR aim to address these shortcomings, refining the existing rules and introducing new measures for the digital age.

Key Differences: PSD3/PSR vs. PSD2

  1. Structure: Directive + Regulation = More Harmony

    • PSD2: Was a single Directive, meaning each EU country transposed it into national law, sometimes with variations.

    • PSD3/PSR: Splits the framework. PSD3 (the Directive) focuses on licensing and supervising payment institutions (now including e-money providers under one roof). The PSR (the Regulation) contains the operational rules – how payments are made, security requirements, Open Banking rules, etc. – and applies directly across all EU states.

    • Why the change? The PSR aims to eliminate the inconsistencies seen with PSD2, creating a more unified single market for payments and reducing complexity for businesses operating across borders.

  2. Fraud Fighting Gets Tougher

    • PSD2: Introduced SCA, which significantly cut certain fraud types.

    • PSD3/PSR: Steps up the fight considerably:

      • IBAN/Name Matching (Verification of Payee - VoP): Mandatory for all credit transfers (not just instant payments). Before confirming a payment, your provider must check if the recipient's name matches the account number (IBAN). This aims to stop APP fraud where you're tricked into sending money to the wrong account.

      • Fraud Data Sharing: Creates a legal basis for payment providers to voluntarily share fraud-related information (like suspicious IBANs or scammer tactics) amongst themselves via dedicated platforms, helping to spot and stop fraud faster.

      • Spoofing Liability: Introduces rules making payment providers potentially liable if you're tricked by a scammer impersonating them.

      • Enhanced Monitoring: Requires more sophisticated transaction monitoring, using factors like location, device, and spending habits to spot suspicious activity.

  3. Strong Customer Authentication (SCA) Refined

    • PSD2: Mandated two-factor authentication for many online payments and account access.

    • PSD3/PSR: Keeps SCA but refines it:

      • Accessibility: Explicitly requires providers to offer SCA methods that don't rely solely on a smartphone, ensuring everyone (including those with disabilities or low digital skills) can authenticate securely.

      • Wallet Enrollment: SCA is now clearly required when you first add your card to a digital wallet (like Apple Pay/Google Pay).

      • Factor Flexibility (Potentially): Hints that two authentication factors might not strictly need to be from different categories (knowledge, possession, inherence) if their 'independence' can be proven, potentially allowing things like fingerprint + face ID.

      • Clearer Exemptions: Aims to clarify when SCA isn't needed (e.g., for low-risk transactions identified via improved monitoring, or for recurring payments after the initial setup).

  4. Open Banking Gets a Performance Boost

    • PSD2: Mandated banks provide API access but performance varied, and banks had to maintain a 'fallback' access method if the API failed.

    • PSD3/PSR: Aims to fix Open Banking's plumbing:

      • Mandatory Dedicated APIs: Banks must offer a high-quality, dedicated API for third-party access.

      • No More Fallback: The requirement for a backup interface is removed, putting pressure on banks to make their main API reliable.

      • Performance Standards: APIs must meet higher performance and availability benchmarks, comparable to the bank's own online channels, with public reporting on performance required.

      • Permission Dashboards: A major new feature! You'll get a dashboard within your online banking to see exactly which third parties you've given access to your data, what they can see/do, and easily revoke that permission in real-time. This requires complex real-time data synchronization between banks and third parties.

  5. Levelling the Playing Field & Cash Access

    • PSD3/PSR: Includes measures to ensure non-bank payment providers get fairer access to payment systems and the right to a bank account. It also allows retailers to offer cashback without requiring a purchase (up to a limit) and clarifies rules for independent ATM operators to improve cash access.

  6. Alignment with Digital Resilience (DORA)

    • PSD3/PSR: Explicitly links the authorization and supervision of payment firms to the requirements of the Digital Operational Resilience Act (DORA), demanding robust IT security, risk management, and incident reporting.

What This Means for You

  • For Consumers: Expect enhanced security against fraud (especially APP scams), more control over who accesses your financial data via the new dashboards, potentially more reliable Open Banking services, and clearer information about charges. The push for accessible authentication is also a win for inclusivity.

  • For Financial Institutions & PSPs: Significant IT upgrades are needed across authentication systems, payment processing (for VoP), API infrastructure, fraud detection, and compliance reporting. The removal of the API fallback increases the need for resilient systems. While there are costs and complexities, the harmonized rules might simplify cross-border operations, and enhanced security can build customer trust. The mandatory re-authorization for existing payment and e-money institutions under PSD3 is also a key task.

The Road Ahead

PSD3 and PSR represent an evolution, not a revolution. They aim to solidify the gains of PSD2 while patching its weaknesses and preparing the EU payments market for the future. While the final texts are still being negotiated, the direction is clear. Implementation is expected around 2026-2027, giving the industry time to adapt – but preparation needs to start now. This next chapter promises a more secure, competitive, and user-centric payments landscape across Europe.

What’s Changing from PSD2?
two person standing on gray tile paving

© 2025 IT with IT all the rights reserved

Follow us:

Contact us