Guide

Your Guide To PSD3, PSR & Changes From PSD2

PSD2 is changing to PSD3. Learn what you need to know, including how the new PSR will impact European payments, open banking, and more.

On This Page

PSD3 represents the next step in the European Union’s regulatory framework for the European payment services industry. Expected to arrive in 2025, PSD3 builds on the foundations set by PSD1 in 2007 and PSD2 in 2015 by further refining and enhancing the landscape of digital payments within the EU.

PSD3 will introduce significant changes for banks, non-bank payment service providers (PSPs) and consumers. This guide delves into the critical aspects of PSD3, outlining the need-to-know elements of its implications and operational impacts.

To be fully versed in the Payment Services Directive and strong customer authentication (SCA), or if you need a refresher, you can review our PSD2 Guide.

What is the PSD3 EU directive?

The PSD3 (Payment Services Directive 3) is a set of regulations for the payment industry meant to further enhance and build on the goals of previous directives. PSD3 continues the EU’s efforts to create a more integrated, efficient and secure payments ecosystem.

The European Commission put forward its proposal in June 2023 outlining the following six key objectives:

  1. Combat and mitigate payments fraud by introducing more robust measures for fraud prevention, including enabling payment service providers to share fraud-related information, enhancing the strong customer authentication rules and extending refund rights of consumers who fall victim to fraud.
  2. Expand consumer rights and protections by providing customers more control over who accesses their data and for what purpose, improving transparency on their account statements and providing more transparent information on ATM charges.
  3. Level the playing field between banks and non-banks by standardizing electronic payment laws and improving access to payment systems to all EU payment systems for non-bank PSPs in order to better foster innovation and competition.
  4. Improve the function of open banking by removing remaining obstacles to open banking services, streamlining cross-border payments in an effort to improve parity in efficiency and security between domestic and cross-border transactions.
  5. Improve the availability of cash in shops and via ATMs by allowing retailers to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators.
  6. Strengthen harmonization and enforcement of payment rules, including updating the authorization, supervision framework and regulation for non-bank PSPs in order to ensure a level playing field across the EU.

The EC’s proposals also include a new Payment Services Regulation (PSR) to improve consumer protection in a uniform and consistent manner across the entire EU by:

  • Making payment services clearer: The PSR will make sure that all the conditions and necessary information about payment services are transparent and easier to understand.
  • Setting clear rules: The PSR defines clear rights and duties for the providers of payment services and their users. This includes rules about open banking, which allows consumers to securely share their financial data with third parties for better services.

Once the PSR is fully approved, it will automatically apply in all EU countries without needing to be separately introduced into each country’s laws. This means a more consistent approach to consumer protection across the EU, making it easier for financial institutions to operate across borders.

Why is PSD3 needed?

The main objective of the last Payment Services Directive update (PSD2) was to ensure a level playing field between existing and new providers of card, internet and mobile payments. Due to the rise of digital payment methods and new entrants into the payments field accelerated by the impact of the COVID-19 pandemic, the European Banking Authority (EBA) began to identify issues, such as uneven rule implementation across member states, that were hindering the development of open banking.

As a result, the European Commission has put forward proposals to update payments and the wider financial sector. These proposals will amend and modernize PSD2 (updating it to PSD3) and introduce a Payment Services Regulation (PSR) to continue supporting competition and innovation, while also strengthening consumer protections and data security.

These updates are part of the EC’s larger Financial Data Access (FIDA) framework proposal. The objective of FIDA is to improve financial data flow by codifying data sharing permissions, standardizing financial data sharing and access, defining customer data access rights, and more. For more detailed information on FIDA, see the European Commission’s Factsheet.

Which stakeholders will be impacted by PSD3?

Banks and financial institutions (FIs)

Banks and FIs will enjoy access to an expanded payments ecosystem but will need to adapt their legacy systems to meet the increased data sharing and security requirements. They will also face increased competition from non-bank payment service providers.

Payment service providers (PSPs)

PSPs will have greater opportunity for expansion across borders and to develop and provide innovative services, but they will be required to adapt to new regulations and technical standards, including heightened security measures.

Third-party providers

Third-party providers gain access to EU payment systems, which may lead to enhanced competition, but also comes with stringent regulatory compliance. Strong customer authentication (SCA) delegation by issuers to third parties now qualifies as outsourcing and needs to comply with outsourcing rules to authenticate the cardholder, making payment gateways liable for fraud if they fail to apply SCA. These changes will impact all businesses that use or provide third-party banking services, including merchants, banks, FIs, and PSPs.

Merchants

Merchants should benefit from more efficient payment processes and consumer empowerment, though they may have to assume the cost of adapting to new processes and ensure they’re in compliance with transparency requirements.

Consumers

Consumers will need to adapt to new security measures and updates to payment processes but will benefit from more transparency regarding certain payments (such as ATM withdrawal charges), stronger data protections, and more transparent, secure payment mechanisms — including two-factor authentication (2FA). Additionally, SCA will be more accessible to all consumers, including persons with disabilities and those who do not have access to digital channels or payment instruments.

What are the key updates from PSD2 to PSD3?

PSD3’s updates primarily refine existing PSD2 frameworks, focusing on tighter regulations, enhanced competition, broader consumer protections, streamlined data access protocols, and more comprehensive fraud prevention mechanisms. Some of these updates include:

  • Redefining terms, such as account information services (AIS) and payment initiation services (PIS), to make it easier for consumers to make payments, manage finances, and compare financial products
  • Improving consumer rights by introducing stricter rules on handling and accessing consumer data enhances transparency on account statements and provides clearer information regarding ATM charges
  • Expanding open banking by enhancing data sharing mechanisms between banks and third parties by mandating that banks grant third-party providers (TPPs) access to customer account information (AISPs) and the ability to initiate payments (PISPs) with customer consent
  • Extending IBAN — the process by which a payer can confirm the name of a payee before sending a payment to a specific account number — to all credit transfers other than instant payments
  • Extending the scope of strong customer authentication (SCA) to cover more scenarios and stakeholders, clarifying exemptions, and ensuring methods are accessible to all users
  • Placing greater emphasis on tech service providers, requiring them to adhere to stricter regulations and accountability measures, including mandatory compliance with new safeguarding and operational requirements

These changes underscore the directive’s evolution towards a more secure, competitive, and consumer-friendly payments environment.

Key updates from PSD2 to PSD3 on banking service providers in the EU

AB
PSD2PSD3
Regulation of PSPs
Focused on enhancing consumer protection and securityExpands consumer protections, especially in fraud prevention, open banking data access, and cash availability
CompetitionEncouraged competition by allowing third-party accessIncreases competition by further opening up EU payment systems to non-bank PSPs and strengthening fair competition
Consumer ProtectionImproved consumer rights, especially in fraud preventionExpands consumer protections, especially in fraud prevention, open banking data access and cash availability
Data AccessRequired banks to open up APIs to third-partiesSimplifies the API framework by removing the requirement for a fallback interface and introducing a consumer dashboard for data access control
Fraud PreventionIntroduced SCA requirementsEnhances SCA by clarifying exemptions, expanding requirements (e.g., for mobile wallet enrollments) and ensuring methods are accessible to all users

For complete details on the PSD3 updates, see the European Commission’s full list of revised rules.

What will be PSD3’s impact on open banking and SCA?

Open banking

PSD3 will make it easier for businesses to integrate open banking while providing customers more control over their data and confidence about their payments. The intent is to improve adoption for instant payments and other alternate payment methods (APMs) by:

  • Mandating standardized APIs for banks to facilitate smoother, more secure data sharing between banks and TPPs
  • Simplifying connections and data sharing between banks and third parties to improve access to consenting customers’ account data
  • Removing the need for banks to maintain two data access (“fall-back”) interfaces
  • Granting consumers more control over their financial data access permissions and making it easier for them to revoke access if needed

Strong Customer Authentication (SCA)

Building on PSD2’s success, PSD3 aims to secure more transactions while ensuring inclusivity. Some of the ways in which PSD3 will expand and improve its SCA requirements include:

  • Clarifying when certain transactions may be exempt from SCA
  • Requiring SCA for mobile wallet enrollments
  • Requiring payment service providers to offer SCA methods that don’t rely solely on one technology
  • Ensuring greater SCA accessibility for all users, including elderly users, low-income users and users with disabilities

What is the timeline for PSD3?

As of the publication of this article, there is no set implementation timeline for PSD3. However, organizations will have an 18-month transition period to comply with PSD3 requirements once it has been formally adopted. Most outlets expect final adoption to fall in the first half of 2025, which puts the final compliance deadline in either 2026 or early 2027.

What’s the difference between PSD3 and PCI DSS?

The difference between the Payment Services Directive 3 (PSD3) and the Payment Card Industry Data Security Standard (PCI DSS) lies primarily in their scope, purpose and regulatory approach. PSD3 focuses on the regulatory framework for payment services within the EU, while PCI DSS is a global standard for payment card data security.

PSD3 applies specifically to the EU and aims to harmonize the legal framework for payment services across the European Economic Area (EEA). PCI DSS applies worldwide to all entities that store, process, or transmit cardholder data, regardless of their size or transaction volume.

What are the penalties for not complying with PSD3?

It is expected that non-compliance penalties with PSD3 will be similar to the compliance penalties for PSD2, which can involve fines, as well as potential license removal. Institutions and service providers should seek to avoid these risks, as well as any reputational damage, by fully understanding their responsibilities in adhering to this regulatory framework.

PSD3 and PSR will enhance the EU’s payments landscape by improving security, competition, and consumer protections. As we get closer to implementation, financial institutions must navigate these evolving regulatory standards by making any necessary changes to their IT systems and processes and by finding ways to balance compliance with strategic opportunities.

ACI Worldwide is keeping a close eye on the directive and how it is progressing. We have regulations and compliance experts in house to help you maintain compliance and security across all payments channels and methods.

To learn more about how our compliance and mandate experts can assist you, visit our contact page.