Contact us


PSD3: Key Points Relevant to the Payments Industry

In an effort to facilitate a competitive, more secure, efficient, and integrated EU payments market, the European Commission is working on the latest version of the Payments Services Directive and Payments Services Regulation (PSR), collectively referred to as PSD3.

What is PSD3 (Payments Services Directive)?

PSD3 refers to a predefined set of rules in the payment sector aiming to improve and expand upon the objectives set by earlier directives, PSD1 dating from 2007 and PSD2 issued in 2015.

The main aim of the European Commission's directives on payment services is to establish and sustain a unified market for payments within the EU. This unified market is intended to ensure consistent levels of consumer protection, efficiency, and innovation across all member states. The directive aims to simplify and secure cross-border payments, aligning the rules for electronic payments while encouraging competition and innovation. While PSD1 aimed to create this unified market, PSD2 and the upcoming PSD3 focus on further strengthening it by introducing security for consumers, merchants, and payment service providers to address the evolving landscape of financial services.

PSD3 Key Points

  • PSD3 comprises regulations set by the European Commission for the payment services sector, extending upon earlier directives, PSD1 and PSD2.
  • The objectives of the European Commission's Payment Service Directives aim to safeguard consumers and foster a safer, more competitive, effective, and integrated payments market within the EU.
  • PSD3 broadens the scope of PSD2, particularly focusing on aspects such as preventing fraud, facilitating open banking, ensuring data access, upholding consumer rights, maintaining cash availability, and promoting fair competition.

PSD3 Timeline

The European Union published the first draft of the Third Payments Services Directive (PSD3) on June 28th, 2023. The final version of the document is expected to reach the public during the last months of 2024. As the member states are given a substantial transition period, usually 18 months, PSD3 is expected to take full effect in 2026.

PSD2 vs PSD3

Banks, payment service providers, and all entities impacted by the European Commission's Payment Services Directives might perceive PSD3 as a continuation of PSD2, rather than a major shift in Europe's payment services setup.

The anticipated new regulations stemming from PSD3 improve upon current standards without requiring extensive reconstruction of payment frameworks or costly integration of new technologies. The goal of PSD3 is to expand upon the achievements of PSD2 and provide straightforward solutions to address gaps or areas that are insufficiently covered by PSD2.

Key Differences

  • Strict SCA requirements
  • Enhanced customer refund rights
  • Highlighted importance of facilitating open banking through data sharing
  • More rights for consumers in regard to transparency and communication, payment charges, statements, and held funds
  • Enhanced fraud protection, particularly in regard to “impersonation fraud” or spoofing

PSD3 Key Objectives

1.     Stringent SCA Requirements

When observing the effects of PSD2, the European Commission concluded that the Strong Customer Authentication (SCA) requirements proved to have the most impact on its fraud-prevention efforts. SCA, in general, provides an additional layer of payment security by requiring the end user to apply a minimum of two authentication factors prior to initiating the payment. These factors are separated into the following categories:

  • Knowledge - something the user knows (password, PIN)
  • Possession - something the user owns (mobile phone, smart card)
  • Biometrics – something the user is (face recognition, fingerprint)

An extension to the existing process proposed by the PSD3 includes:

  • Clearly defining SCA exempted scenarios
  • Mandating SCA for mobile wallet registration
  • Mandating payment service providers to present SCA options independent of a single technology, ensuring accessibility for a diverse user group (lower income population, the elderly, etc.)

2.     Spoofing/Impersonation Fraud Prevention

Since social engineering fraud gained traction only in the past few years, PSD2 did not provide sufficient guidelines on battling the issue. What makes impersonation fraud or ''spoofing'' a challenge to prevent, is the authentication step that is present during the transaction authorization. This means that the processed payment looks legitimate. However, in reality, the user is manipulated into revealing sensitive data necessary to finalize a payment.

This is where PSD3 comes into play. Proposed points for enhanced spoofing protection include the following:

  • Enhanced customer refund rights – if customers fall victim to a spoofing scam, the bank is liable for fraud in case they don't have proper spoofing protection in place.
  • Mandatory IBAN/name checks – the bank is required to make sure that the name matches the IBAN linked to that particular name.
  • Improved transaction monitoring – heightened measures to detect fraudulent activities
  • Shared data on ongoing fraud – PSPs should be provided a legal framework used for sharing information about recent fraud attempts.
  • Staff and customer education – PSPs are required to educate both parties about fraud prevention.

3.     Open banking enhancements

PSD3 intends to enhance the groundwork established by PSD2 in "open banking," where authorized third-party providers access a customer's banking and payment data to offer useful services like expense summaries, budgeting, and tailored financial products.

The objective of PSD3 concerning open banking is to refine data sharing between banks and TPs without causing disruption to the current structure or raising expenses. Alongside setting stricter guidelines for data access interfaces, PSD3 is anticipated to implement the following alterations to open banking:

  • Eliminating the requirement for banks to maintain two data access interfaces (removing the necessity for a "fallback" interface).
  • Mandating that banks and payment account providers offer a consumer dashboard tool. This tool enables customers to view the entities with access to their data and simplifies the process of revoking access if desired.

4.     Increased Cash Availability

Through PSD3, the European Commission aims to broaden consumer access to cash by simplifying the provision of cash withdrawal services by ATM operators and merchants. PSD3 introduces two primary methods to expand cash availability for consumers:

Cash Withdrawals without Purchase Obligation at Physical Stores

Currently, retailers like supermarkets can offer customers "cashback" alongside purchases. PSD3 updates these regulations, enabling retailers to provide this cash withdrawal service independently, separate from a purchase. Essentially, customers can request cash directly from the cashier using their payment card or mobile wallet without making a purchase. To ensure fair competition with ATMs and prevent depleting the cash reserves of physical stores, certain limitations like a €50 withdrawal cap will remain in place.

Increased ATM Availability

PSD2 permits certain ATM operators (those not serving payment accounts) to function without a license. PSD3 aims to clarify these exemptions to encourage a higher number of ATMs throughout the EU, especially in regions with limited or no access to ATMs.

How can ASEE help?

Are you experiencing issues with spoofing attacks targeting your clients? We'll gladly offer guidance and help you protect your business and your customers.

Feel free to contact us – zero obligation. Our ASEE team will be happy to hear you out.

Want to learn more about cybersecurity trends and industry news?



chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram