Payment services regulation (PSR): all you need to know

IN THIS ARTICLE
Table of Contents
Like it? Share it

73% of businesses using Strong Customer Authentication (SCA) saw online payment fraud decline after its mandatory instruction. It is no wonder it’s a big requirement of PSD2 and PSD3. Read on and you will find out more about payment services regulation in 2024 and other regulations in the industry.

Payment regulations add security to B2C and B2B online payments. Thanks to ongoing account validation, Trustpair is the ultimate security measure to protect payments. Request a demo to learn more!

New call-to-action

What regulations exist in the payment services industry?

Here is a list of some of the notable regulations that govern the payment services industry including PSD2:

  • Payment Services Directive 1 (PSD1) – came into force in 2009
  • Payment Services Directive 2 (PSD2) – approved in 2015 and came into effect in January 2016, and member states had until January 2018 to bring it into law
  • Anti-Money Laundering Directives – rules that aim to stop EU member states from money laundering and terrorist financing
  • Suspicious Transaction and Order Reports (STORs) – financial institutions are required to file their suspicions when they believe their customers may be involved in market abuse, like insider trading
  • Electronic Fund Transfer Act (EFTA) – came about in 1978 in the US and it put in place the rights, responsibilities, and liabilities that financial institutions and consumers are bound by when involved in electronic fund transfers (EFTs)

 

PSD2: definition, requirements and goals

Payment Services Directive 2 (PSD2) is a form of regulation that compels companies to make changes to their payment process and make the experience for customers as good as possible.

It also sets out that for online banking services, consumers can access or any third-party or financial service provider.

The requirements of PSD2 involve:

SCA or two-factor authentication

This extra layer of security such as a password, code, facial recognition, or fingerprint makes it harder for a fraudster to gain access to your devices.

For example, when making a payment of large value to a supplier, a team member may have to log onto the mobile banking app to approve the payment with touch ID to legitimize the transaction.

This is one of the three forms of identification that can be requested at checkout. Often, two forms of identification are used together.

This could include:

  • Knowledge – something the customer knows of such as a pin
  • Possession – something the customer has such as a mobile phone
  • Inheritance – something the customer is, this could involve touch

Fair fees

Companies can’t charge an extra card fee as well as the transaction value. This rule stops airlines and train lines from adding surcharges and reaping the financial benefits.

It comes into effect when the consumer’s card issuer or bank and payment service provider of the supplier are both situated in the European Economic Area (EEA) and the transaction is made using a card, direct transfer, or credit transfer.

Account Information Service Providers (AISP) can share bank account data

Banks are allowed to use and share bank account data with other banks if the owner of the bank account consents to it.

This can lead to greater competition in the payment market as other banks can see your data if you allow them.

Additionally, it can outline unusual payment patterns.

The aims of PSD2 were to give customers a better experience and know their data is secure. Additionally, it aimed to increase competition and innovation for new regulations in companies.

For example, one of the ways that it fosters innovation is that if a bank can see your accounts and transactions across banks, they can group this all together to provide a summary of spending, plan budgets and predict future transactions too.

It is also especially useful for budgeting apps or third party apps that would use this information.

 

PSD3: definition, requirements and calendar

This brings us nicely to Payment Services Directive 3 (PSD3). This is a proposed idea as of June 2023 that follows on from the PSD2 regulation.

The requirements of PSD3 include:

SCA

In the PSD3 proposal, there are more wide-ranging Strong Customer Authentication rules and standards to provide protection to customers.

Since PSD2, the SCA system has become hyper resistant to phishing scams, and ‘verifier compromise resistance’ is involved. This means that if the cryptographic keys used to legitimize authentication codes are bypassed, the SCA system security isn’t impacted.

There is also the addition of a provision that compels providers to apply transaction monitoring mechanisms so SCA can be used and to spot fraudulent transactions.

Additionally, there are other changes like that the authentication method doesn’t need to belong to two different categories. For example, using a pin and a password would both come from the knowledge section of authentication.

Accessibility

Everyone should be catered to and those who don’t use smartphones must be supported via methods of authentication that aren’t just solely smartphone-focused.

For example, elderly people who don’t own smartphones would need an alternate method of authorization.

Between 2015 and 2023, research found one of our four people (24%) aged 65 and older owned smartphones in the U.S.

New exceptions

The new SCA exceptions include:

  • Merchant-initiated transactions (MITs) – in the case of a subscription, just the first transaction requires SCA
  • Mail Order Telephone Order (MOTO) transactions – a customer may give their payment information over the phone or via mail

Fraud liability

Now technical service providers like Apple with Apple Pay, and payment gateways could be liable for fraud if SCA isn’t actioned. This means that users will be more protected and the providers are encouraged to provide a solid service.

The PSD3 order would further protect customers making online payments and it enables customers to securely share their data so they reap the benefits. Those benefits include the options of cheaper products and services.

These updates for PSD3 are being reviewed in the European Parliament and the Council of the EU. Following the consultation, we could see a final version appear at the back end of 2024 or early 2025.

As member states have 18 months to introduce it into national law, PSD3 is likely to come into force in 2026.

PSD3 vs PSR

Following on from PSD2, we have both PSD3 and PSR. The first is a draft directive that mainly centers on licensing and payment service providers (PSPs). The PSR legislation covers banking responsibilities and will become a law for EU member states.These regulations are part of the same initiative.

 

What are the payment services regulations in the US?

The idea of open banking regulation has arrived in the US. In October 2023, there was a rule proposed to bring in an open banking right in the Consumer Financial Protection Act (CFPA).

In this suggested rule, both the consumer and authorized third parties would be able to access their financial data. This looks set to relate to a set of financial institutions (like banks and credit unions), financial products, services, and information.

The data, dubbed ‘covered data’ could be things such as transaction information, account balance, terms and conditions, upcoming bills, account information, and more.

The rule for one of the latest payment services regulations (PSRs) has not yet been approved.

Are you interested in payment trends? Download our latest white paper about instant payments!

New call-to-action

Recap

There are several different types of payment services regulation. The main ones involve PSD2 and the latest proposed regulation PSD3 which also brings in PSR. Payment regulations add security layers for online money payments. Trustpair is the ultimate security measure to protect online payments from fraud, thanks to ongoing account validation.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

The regulation of payment systems is the rules and standards surrounding companies and financial institutions for how they handle payments.

The PSD3 payment service regulation is the latest set of rules surrounding how payments are handled that are set to come into effect in 2026. PSD3 rules would protect customers further when making online payments. It also means that customers can share their data securely and gain the benefits.