6 minutes
PSD3 and PSR: The next chapter for European payments
What Europe’s new payments rules mean for businesses navigating a constantly evolving payment journey.
Sophie Willaert
EMEA Public Policy Lead
Sophie Willaert is a public policy specialist with deep experience across EU and UK regulatory affairs. She leads EMEA policy engagement and advises on the impact of developments on Worldpay, now Global Payments, our clients and the payments ecosystem.
Key points
- PSD3 and PSR will reshape Europe’s payments framework with tighter regulation, clearer accountability and higher standards for performance.
- Stronger fraud controls, more flexible authentication and improved transparency will change how businesses manage risk, cost and conversion.
- Platforms and merchants must reassess their models now to stay compliant, protect growth and compete in a more complex payments ecosystem.
The way people pay and get paid is changing faster than ever before. Since the introduction of the European Union’s (EU) second Payment Services Directive (PSD2) framework, the regional payments landscape has evolved, with new technologies, business models and consumer expectations reshaping every step of the payment journey.
Recognizing this shift, the EU has introduced an updated package (subject to final formalities at the time of writing) – the third Payment Services Directive (PSD3), as well as a new Payment Services Regulation (PSR), aimed at modernizing and harmonizing the EU payments framework to strengthen fraud prevention, consumer protection and open banking, while clarifying the authorization and supervisory rules for payment and marketplace business models across the single market.
PSD3/PSR applies to payment services carried out within the EU, including cross-border payments activities. Businesses established outside the EU will normally be outside the scope of the framework, however they may still be affected if they have EU‑based customers or rely on EU‑regulated payment service providers.
Why change is necessary
Businesses are now operating in an environment impacted by rising and new fraud types, increasing complexity and higher consumer expectations for uninterrupted, real-time payment experiences. While PSD2 played an important role in laying the foundation for open banking and improving payment security, particularly through Strong Customer Authentication (SCA), the market kept evolving and a few practical challenges have emerged:
Growing expectations for reliable payments highlight the need for more consistent, high-performing bank APIs, as uneven implementation under PSD2 has constrained the development of open banking payments into a scalable and trusted option.
- The rise in digital wallet payments, alongside a broader use of tokenization and biometrics, points to the need for updated authentication rules that are better embedded in the user experience.
- Fraud patterns are becoming more sophisticated, especially around social engineering and authorized payment fraud, reinforcing the need for more adaptive, intelligence-driven prevention approaches.
- A growing share of digital commerce now takes place through multi‑party platforms such as marketplaces, gig and creator platforms, travel aggregators, embedded commerce hubs and more, increasing the complexity around responsibility, compliance and coordination across the payment journey.
PSD3/PSR aims to modernize the regulatory environment to reflect how digital commerce actually works today.
What is changing with PSD3 and PSR?
The PSD3/PSR package aims to strengthen the EU payments rulebook and deliver:
1. A clarified and unified regulatory perimeter and approach
Payment and e‑money institutions will be brought under a single, harmonized licensing regime.
A key element is the introduction of clear definitions, including the notion of agent and supervisory rules. As the PSR is a regulation (rather than a directive), its contents are directly applicable in EEA territories and not subject to local implementation and interpretation as for PSD2 (as a directive).
The commercial agent exclusion in particular, which has been widely used by platforms to avoid payment service licensing, will be significantly narrowed. As before, it will apply only where an agent represents one party exclusively but additionally, the agent must have real scope to negotiate or conclude the sale on their behalf (rather than merely represent the party in an automated platform setting). Platforms that operate on behalf of both the buyer and seller or which don’t have real scope to negotiate on behalf of the buyer or seller may need to obtain a payment institution license, restructure their payment flows or rely more heavily on licensed payment partners.
2. Greater transparency
The package introduces new transparency requirements. Notably, card schemes and processors will be required to present their fees in a clear, consistent and standardized format, distinguishing between mandatory, specific and optional fees. Advance notice will also be required before any fee changes take effect. They will also be required to maintain a single EU public repository of scheme/processing rules and fees, giving businesses greater visibility into the components of acceptance costs.
3. Enhanced open banking payments
Banks will face stricter requirements for API availability, performance and functionality, with further limitations on the use of fallback access mechanisms. This is expected to improve the reliability of third-party access and payment initiation services.
In parallel, the EU’s Instant Payments Regulation requires euro credit transfers to be processed and received instantly. Together, these two updates could accelerate the adoption of pay‑by‑bank solutions.
4. Evolving fraud and SCA requirements
The framework strengthens requirements on fraud prevention. Payment service providers will face new obligations covering fraud prevention, customer education, staff training, cooperation and information‑sharing with other financial institutions and electronic communications service providers as well as enhanced obligations regarding verification of payees. In some cases, it also may require PSPs to reimburse users for losses resulting from impersonation fraud.
The framework also updates the approach to SCA. Building on PSD2, changes are intended to adapt the existing SCA framework to reflect current technologies and evolving payment journeys, without altering its core principles. They aim to support smoother checkout experiences by providing greater clarity on when SCA is required, how it applies across different payment flows and how exemptions should be used.
Authentication methods will become more flexible, enabling the use of biometrics and risk‑based decisioning, while maintaining strong security controls. To ensure accessibility, more than one SCA method will need to be offered to consumers.
The finer technical details will be set out in the updated Regulatory Technical Standards (RTS) from the European Banking Authority (EBA), covering operational rules for SCA, exemptions and transaction monitoring.
5. Strengthened responsibilities across the payment chain
The framework clarifies the allocation of liability across the payment chain and places greater emphasis on cooperation in fraud prevention. Wallet providers and other technical service providers may be held accountable where failures in the payment chain prevent strong customer authentication from being supported, reinforcing shared responsibility for secure payment execution.
PSD2 vs PSD3: at a glance
Area | PSD2 | PSD3/PSR |
|---|---|---|
Regulatory structure | Separate regulations for payment institutions and e‑money institutions | Integrated license frameworks and regulatory framework |
Commercial agent exclusion (CAE) | Broad interpretation, allowing many platforms to rely on it | Tightened definition: applies only where agent represents one party and has a real scope to negotiate or conclude contracts |
Open banking payments | Uneven API performance; fallback access allowed | Stricter API requirements with restricted fallback access for improved reliability |
SCA rules | Two‑factor authentication with defined exemptions | Clearer scope with more flexibility, modern authentication rules, refined exemptions and deeper transaction monitoring |
SCA accessibility | Authentication largely smartphone-dependent in practice | Requirement to offer alternative authentication methods |
Scheme and processor fee transparency | Limited, non‑standardized | Mandatory, standardized fee disclosure and EU repository |
Liability clarity across ecosystem | PSP‑centric responsibility | Clearer allocation of responsibilities across PSPs and relevant third parties |
Scope for marketplaces | Many exempt from licensing under CAE | Many multi‑party platforms may have to become licensed PSPs or rely on a licensed PSP to remain out of the payment flow |
How can businesses prepare today?
To get ahead of the anticipated 2028 application, you can start preparing by focusing on these key areas:
1. Review your current business model
Assess whether your activities may require authorization under PSD3. If you are a multi-party platform this could involve obtaining a license, restructuring your transaction flow or partnering with a licensed payments provider.
2. Map your authentication journeys
While SCA obligations sit with payment service providers, businesses should assess whether changes to authentication methods or payment flows may affect the customer experience and integration requirements.
3. Engage early on fraud and risk dependencies
With PSD3 enhanced fraud and transaction‑monitoring requirements, such as dynamic risk scoring and behavioral analysis, businesses should engage with their payment providers early to understand how new risk controls may affect acceptance, friction and dispute handling.
The new PSD3 framework seeks to bring greater clarity, stronger consumer protection and a more harmonized operating environment. It also introduces higher standards for compliance, authentication and operational design. By starting preparations early, reviewing commercial models and considering how to adapt payment flows, businesses can be better equipped to navigate the upcoming regulatory changes.
European payments FAQ
What are PSD3 and PSR in European payments?
How will PSD3 impact merchants and payment providers?
What does PSD3 change for fraud prevention and authentication?
How will PSD3 affect marketplaces and platform business models?
Will PSD3 improve open banking and pay-by-bank adoption?
When will PSD3 and PSR come into effect?
This commentary is not exhaustive and does not constitute advice of any kind. Prevalent laws, customs, technologies, associated risks and your specific circumstances constantly change, so Worldpay/Global Payments provides this commentary with no warranties, representations and guarantees. If you rely on this commentary in any way, you do so at your own risk. Seek independent professional advice to help ensure that what you do is right for your specific circumstances.
Related insights
