PSD3: the main changes to come for your business

IN THIS ARTICLE
Table of Contents
Like it? Share it

The first Payment Services Directives (PSD and PSD2) have impacted our businesses. We have to go through stronger security measures to complete online payment transactions. While it has been successful in reducing fraud, the European Commission is now working on PSD3 to bring forth more regulations. Keep reading to learn the details!

PSD3 will add security layers for online payments, both B2C and B2B. But if you want to secure completely your third-party payments, use Trustpair. Our software protects you against fraud thanks to ongoing account validation of your suppliers’ data. Request a demo to learn more!

New call-to-action

What is PSD3?

PSD3 stands for Payment Service Directive — the third version of it. It’s a set of rules and requirements for payment services in Europe regulating how banks, payment institutions, and third-party providers process payments and financial data.

PSD is the regulation that supported the development of Open Banking services.

Its goals are to:

  • Increase security on online payment transactions, financial services, and data management.
  • Improve digital payment standards across the EU.
  • Foster innovation and balance the power between banks and third-party service providers (like FinTech, online banks, etc.)
  • Provide more secure and convenient electronic payment systems and banking services to customers.

PSD3 is still in its early stages and the directive is being worked on by the European Commission. While organizations have to start preparing for it, PSD2 is still the regulation to follow for now.

 

PSD3 vs PSD2: what are the key differences?

PSD2 and PSD3 share the same goals of creating more secure standards online for money services to:

  1. Keep up with technology advancements, like instant payment methods.
  2. Fight the constant rise of payment fraud.
  3. Improve consumer protection.

In the same way that PSD2 offered an improvement over the original PSD rules and requirements, PSD3 will be the natural evolution of PSD2.

It’s not that PSD2 hasn’t been successful: regulatory institutions have declared it has enhanced security, fostered innovation, and helped develop Open Banking. But there is always room for improvement, which is why the European Commission is currently working on PSD3.

The main goal of PSD3 is to harmonize even further the payment market across the EU and the EAA, reducing the space for national variation.

To achieve this, the original PSD2 regulation will be split into two distinct elements:

  • The PSD3 will be a directive focusing on payment service providers’ operations, setting out stricter rules regarding Strong Customer Authentication (SCA) — how a consumer identifies themself to log into their bank account. While this was already one of the PSD2 requirements, the exact method for validating a transaction changes with PSD3. This will be adopted locally by each country.
  • A Payment Service Regulation (PSR) will be created to overview banks’ responsibilities and improve consumer protection. This will automatically become law for all member states of the European Union.

The creation of PSR means the scope of PSD3 will be far greater than the second iteration of the Payment Service Directive. The European Commission believes this will help stay up to date with the financial and payment landscape.

 

PSD3: how will it impact payments?

As the first and second versions of the Payment Service Directive did, PSD3 is forecasted to give a little shake to the payment industry — in Europe, but also to organizations worldwide that do business with European entities.

While all the regulatory requirements haven’t been finalized yet, one thing is sure: PSD3 will impact the financial market (banks PSPs and fintech companies) and its consumers on the operational and legal sides. Organizations will need to create (or upgrade) new systems to comply with the new rules.

Here are some of the expected requirements of PSD3:

  • Strong Customer Authentication SCA will be reinforced. New rules will be created around data access, payment protection, and authentication of users. Where in PSD2, two methods of identification from different categories (knowledge, possession, inherence) had to be used, two of the same categories will be able to be used in PSD3.
  • Data management will change. Businesses will have to share more of their data with issuers so they can monitor information like user location, spending habits, transaction history, device IP… Payment service providers (PSPs) will also have access to personal data to prevent fraud without needing explicit consent from their users under the GDPR.
  • Fraud liability will shift. If they don’t apply SCA, payment service providers (third party providers like online wallets) will be blamed in case of fraud. This is to push companies and banks to maintain high security and regulatory technical standards on their platforms. Issuers will also become liable in case of spoofing. Learn the differences between spoofing and phishing here!
  • Exemptions will change. Where subscriptions used to be included in SCA, requiring constant authentication, only the first transaction will require it with PSD3. MOTO transactions (mail and telephone orders) won’t need SCA anymore, which should benefit sectors like the travel industry.
  • Accessibility will become a priority. SCA will have to be accessible to all consumers, including the elderly, non-tech-savvy consumers, and people living with disabilities. This means that banking and payment service providers will be required to offer authentication methods that don’t require using a smartphone.

 

PSD3: what is the calendar?

The third PSD PSR texts are currently under review by the European Parliament and European Council.

While we don’t yet know the exact timeline, we know that:

  • The final version of PSD3 and PSR texts will be published late 2024 or early 2025.
  • There is usually an 18-month transition period given to organizations to adapt and ensure compliance.
  • PSD3 implementation date for member states is estimated to be in 2026.

The European Banking Authority (EBA) also recently published an opinion which identifies new types and patterns of payment fraud, with solution proposals. This will without a doubt inform the shaping of PSD3.

The good news is: you don’t have to wait until then to make your payments more secure. Trustpair is an anti-fraud software that completely eradicates the risk of third-party fraud in your business.

Our solution provides ongoing account validation, checking your suppliers’ data in real time. This way, you always know who you’re paying, regardless of where your suppliers are located in the world.

According to our latest survey, 96% of US businesses were targeted by at least one fraud attempt in 2023. Using Trustpair means knowing you won’t fall victim to CEO fraud or vendor fraud.

Plus, we help you stay compliant with international regulations — and when the time comes, that will include PSD3 too!

Key Takeaways:

PSD3 is the new iteration of the Payment Services Directive PSD in the EU. It will replace PSD2 around 2026, aiming to increase customer protection, level playing field between banks and third party service providers, and foster innovation across Europe. You can start enhancing your B2B payment security today by using Trustpair, our anti-fraud software.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

The PSD3 proposal is currently being reviewed by the European Parliament and Council. We expect the final version of PSD3 and PSR to be release at the end of 2024, and to be enforceable in 2026.

With PSD3, banks will have to increase their SCA (Strong Customer Authentication) while giving access to more data to third party service providers (like FinTech or Open Banking apps).