PSD3 refers to a predefined set of rules in the payment sector aiming to improve and expand upon the objectives set by earlier directives, PSD1 dating from 2007 and PSD2 issued in 2015.
The main aim of the European Commission's directives on payment services is to establish and sustain a unified market for payments within the EU. This unified market is intended to ensure consistent levels of consumer protection, efficiency, and innovation across all member states. The directive aims to simplify and secure cross-border payments, aligning the rules for electronic payments while encouraging competition and innovation. While PSD1 aimed to create this unified market, PSD2 and the upcoming PSD3 focus on further strengthening it by introducing security for consumers, merchants, and payment service providers to address the evolving landscape of financial services.
The European Union published the first draft of the Third Payments Services Directive (PSD3) on June 28th, 2023. The final version of the document is expected to reach the public during the last months of 2024. As the member states are given a substantial transition period, usually 18 months, PSD3 is expected to take full effect in 2026.
Banks, payment service providers, and all entities impacted by the European Commission's Payment Services Directives might perceive PSD3 as a continuation of PSD2, rather than a major shift in Europe's payment services setup.
The anticipated new regulations stemming from PSD3 improve upon current standards without requiring extensive reconstruction of payment frameworks or costly integration of new technologies. The goal of PSD3 is to expand upon the achievements of PSD2 and provide straightforward solutions to address gaps or areas that are insufficiently covered by PSD2.
When observing the effects of PSD2, the European Commission concluded that the Strong Customer Authentication (SCA) requirements proved to have the most impact on its fraud-prevention efforts. SCA, in general, provides an additional layer of payment security by requiring the end user to apply a minimum of two authentication factors prior to initiating the payment. These factors are separated into the following categories:
An extension to the existing process proposed by the PSD3 includes:
Since social engineering fraud gained traction only in the past few years, PSD2 did not provide sufficient guidelines on battling the issue. What makes impersonation fraud or ''spoofing'' a challenge to prevent, is the authentication step that is present during the transaction authorization. This means that the processed payment looks legitimate. However, in reality, the user is manipulated into revealing sensitive data necessary to finalize a payment.
This is where PSD3 comes into play. Proposed points for enhanced spoofing protection include the following:
PSD3 intends to enhance the groundwork established by PSD2 in "open banking," where authorized third-party providers access a customer's banking and payment data to offer useful services like expense summaries, budgeting, and tailored financial products.
The objective of PSD3 concerning open banking is to refine data sharing between banks and TPs without causing disruption to the current structure or raising expenses. Alongside setting stricter guidelines for data access interfaces, PSD3 is anticipated to implement the following alterations to open banking:
Through PSD3, the European Commission aims to broaden consumer access to cash by simplifying the provision of cash withdrawal services by ATM operators and merchants. PSD3 introduces two primary methods to expand cash availability for consumers:
Cash Withdrawals without Purchase Obligation at Physical Stores
Currently, retailers like supermarkets can offer customers "cashback" alongside purchases. PSD3 updates these regulations, enabling retailers to provide this cash withdrawal service independently, separate from a purchase. Essentially, customers can request cash directly from the cashier using their payment card or mobile wallet without making a purchase. To ensure fair competition with ATMs and prevent depleting the cash reserves of physical stores, certain limitations like a €50 withdrawal cap will remain in place.
Increased ATM Availability
PSD2 permits certain ATM operators (those not serving payment accounts) to function without a license. PSD3 aims to clarify these exemptions to encourage a higher number of ATMs throughout the EU, especially in regions with limited or no access to ATMs.
Are you experiencing issues with spoofing attacks targeting your clients? We'll gladly offer guidance and help you protect your business and your customers.
Feel free to contact us – zero obligation. Our ASEE team will be happy to hear you out.