Payment Services Directive 3 (PSD3) is an updated version of Payment Services Directive 2 (PSD2) and provides rules on the efficiency and security of electronic/digital payments and financial services in the EU. It aims to improve competition and innovation in the financial industry.
PSD3 sets out more extensive Strong Customer Authentication (SCA) regulations and stricter rules on access to payment systems and account information.
PSD3 aims to protect consumers’ rights and personal information while improving competition in the payments industry.
The new proposals also include a new Payment Services Regulation (PSR) to improve consumer protection. This will be directly applicable to EU member states.
Timeline: There is yet to be a clear timeline for implementing PSD3 and PSR. The finalized versions might be accessible by late 2024. The member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2026.
Since introducing the previous Payment Services Directive (PSD), the EU payment services market has experienced significant transformations. This is due to the rise of electronic payments and the entry of new providers offering open banking services.
The main objective of the last Payment Services Directive (PSD2) was to ensure a level playing field between existing and new providers of card, internet, and mobile payments.
Due to developments in the market, the rules and regulations around payments were calling for an update. On June 28, the European Commission put forward proposals to bring payments and the wider financial sector further into the digital age. These proposals will amend and modernize PSD2, which will become PSD3, and introduce a Payment Services Regulation (PSR).
This blog provides a high-level overview of the European Commission’s Payment Services Directive 3 (PSD3) proposals, how they compare to PSD2, and how this will impact the payments industry.
What is PSD3?
PSD3 is an EU Directive that provides rules for the authorization and supervision of non-bank payment service providers (PSPs) in the EU. The PSD3 aims to protect consumers’ rights and personal information while improving competition in the payments industry. This will empower consumers to securely share their data and contribute to a broader range of innovative financial products and services. Since it’s a directive, the PSD3 rules need to be transposed into the national laws of the various EU Member States.
What is PSR?
PSR is an EU Regulation that directly applies to the EU Member States once adopted and entered into force. The PSR will be directly applicable without the need for transposition by member states at a national level. This contributes to a uniform and consistent implementation across the entire EU. The PSR aims to improve consumer protection, an area in which consistency of rules is crucial.
PSD2 vs PSD3
PSD3 will cover a more extensive scope than PSD2. This makes it more suitable for today’s payments landscape given the uneven implementation of rules that could encourage regulatory arbitrage. It covers most parts of PSD2, such as transparency, liability, and open banking. However, PSD3 sets out more extensive Strong Customer Authentication (SCA) regulations and stricter rules on access to payment systems and account information compared to PSD2. This plays a pivotal role in safeguarding payment transactions and counteracting payments fraud.
Learn more about how PSD2 and SCA have been interacting up until now.
PSD3's impact on the payments industry
The changes regarding Strong Customer Authentication (SCA) and access to payment systems and account information will affect the payments industry. Let's look at these changes and how they will make a difference.
Strong Customer Authentication
The PSD3 changes regarding SCA will contribute to safer buying experiences. There will be new rules around data sharing, fraud prevention, authentication, transactions, and accessibility.
Data Businesses will need to share more data with issuers, allowing them to monitor environmental and behavioral characteristics such as user location, transaction time, devices used, spending habits, transaction history, session data, and device IP. As a result, they can increase approval rates by better determining which transactions to approve and which to decline. Payment schemes and PSPs will also be allowed to process personal data for fraud prevention without explicit user consent under the General Data Protection Regulation (GDPR). This only applies if they use the data to prevent fraud.
Fraud The new proposals also suggest a liability shift in terms of fraud. Schemes, technical service providers (such as wallet providers), and payment gateways will be liable for fraud if they fail to apply SCA. This protects payers from technical malfunctions and encourages providers to maintain a high quality of service.
Issuers will also be liable when spoofing fraud occurs. This is when a fraudster impersonates a bank’s employee to make the user authenticate the payment. If the payer acts fraudulently or with gross negligence, they will remain liable.
Authentication PSD2 required SCA factors to belong to two categories out of the following three: knowledge, possession, and inherence. With PSD3, using two of the same categories, like token and SMS OTP or even two passwords, is possible.
SCA delegation by issuers to third parties, such as Apple Pay, is now qualified as outsourcing and needs to comply with outsourcing rules to authenticate the cardholder. Adyen anticipated that outsourcing would be regulated and created a Delegated Authentication solution that allows us not to outsource to a third party but instead do the authentication ourselves. So issuers can delegate SCA to us.
Exemptions Merchant-initiated transactions (MIT), such as subscriptions, are now excluded from SCA. Only the first transaction requires SCA. MITs will have the same 8-week unconditional refund right (‘no question asked’) that you find in SEPA Direct Debits.
Similarly, card-based mail orders and telephone orders, also called MOTO transactions, don’t need to be authenticated with SCA. This exemption will greatly benefit sectors such as the travel industry.
Regarding tokenization, SCA is only required if the cardholder initiates the transaction, for instance, during a card-on-file transaction or when a cardholder initially enrolls their card in a digital wallet.
Accessibility SCA must now be accessible for vulnerable customers such as the elderly, people with disabilities, and non-digitally savvy consumers by providing authentication methods that don’t rely solely on smartphones.
Access to payment systems and account information
The PSR will introduce changes to the existing Open Banking framework that will remove obstacles to providing open banking services and ultimately increase uptime for banking and financial services.
Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will be allowed to build custom interfaces that connect to banks and other financial institutions.
Banks and financial institutions will have to share more information about their API performance by publishing quarterly statistics on interface availability and performance, creating a higher level of transparency. This gives businesses more accurate insights into the payment systems, helping them to make informed decisions about which partner they want to choose for their payment processing needs.
In case of bank downtime or disruptions, banks need to allow third parties (AISPs and PISPs) to use their own banking interfaces, leading to more efficient payment processes for digital businesses and their customers. Following applicable civil law, businesses also retain the right to claim damages for losses incurred.
Banks are required to provide customers with a permission dashboard. This dashboard allows customers to continuously monitor and manage permissions granted to AISPs conveniently.
The PSD3 and PSR proposals ensure consumers can continue safely and securely making electronic payments and transactions in the EU, domestically or cross-border, in euro and non-euro. It aims to provide a greater choice of payment service providers while safeguarding customers.
At Adyen, we're working with regulators and card schemes to ensure everything is ready for PSD3. At the moment, there are no further actions required. We'll keep you up to date on the latest developments of the regulations via email and system messages to ensure an optimal experience.
There is yet to be a clear timeline for implementing PSD3 and PSR. The European Parliament and European Council will review the proposed changes. The finalized versions might be accessible by late 2024. The member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2026. If you want to find more details, visit the official documents here.
Learn more about how to balance convenience with security through better authentication here.