The European Union's Third Payment Services Directive (PSD3) entered its implementation phase in 2026, marking the most significant overhaul of payment regulation since PSD2 reshaped the industry in 2018. For any business processing payments involving European consumers, merchants, or banking infrastructure, PSD3 is not a distant policy document — it is a compliance reality that affects authorization flows, fraud liability, and cross-border transaction economics.
Unlike PSD2, which focused primarily on opening bank data to third-party providers, PSD3 takes a broader approach: it tightens fraud prevention rules, expands open banking obligations, and creates a clearer path for non-bank payment providers to access core payment infrastructure. For global businesses, the practical implications touch everything from checkout conversion rates to multi-currency settlement architecture.
What Is PSD3 and How Does It Differ from PSD2?
PSD3 is the third iteration of the EU's Payment Services Directive, proposed by the European Commission in mid-2023 and adopted in 2024, with member state transposition deadlines falling throughout 2025 and 2026. It is accompanied by the Payment Services Regulation (PSR), a directly applicable regulation that does not require national transposition — giving the European Banking Authority (EBA) stronger centralized enforcement powers.
Where PSD2 introduced open banking and Strong Customer Authentication (SCA), PSD3 addresses the gaps that emerged during PSD2's implementation: inconsistent SCA enforcement across member states, rising authorized push payment (APP) fraud, and barriers that prevented non-bank payment service providers (PSPs) from competing on equal footing with traditional banks.
| Aspect | PSD2 (2018) | PSD3 (2026) |
|---|---|---|
| SCA Scope | Required for electronic payments within EEA | Expanded to include merchant-initiated transactions and cross-border refunds |
| Open Banking | Required APIs without fallback standards | Mandatory dedicated interfaces with performance benchmarks and fallback obligations |
| Fraud Liability | Limited to unauthorized transactions | Extended to APP fraud with shared liability between sending and receiving PSPs |
| Non-Bank Access | Limited, subject to national discretion | Explicit right of access to payment systems with safeguards |
| IBAN Verification | Not required | Mandatory Confirmation of Payee for all SEPA credit transfers |
| Enforcement | National regulators with varied interpretation | PSR provides direct EU-level enforcement via EBA |
How Does PSD3 Change Cross-Border Payment Processing?
For businesses operating across borders, three PSD3 changes have the most immediate operational impact.
Confirmation of Payee (CoP) becomes mandatory for all SEPA credit transfers, requiring IBAN and name matching before a payment is executed. For platforms that initiate bulk payouts to European suppliers, freelancers, or partners, this means integrating real-time name verification into the payment flow — or risk increased payment rejections and fraud liability.
Open banking API standards are now enforceable with specific performance requirements. Third-party providers (TPPs) that rely on bank APIs for account information or payment initiation must meet uptime and response time benchmarks. For cross-border platforms, this improves the reliability of open banking-based payment methods — but also requires testing integrations against the new standards.
Cross-border SCA application is no longer subject to national interpretation. PSD3 clarifies when SCA applies to transactions where the payer's PSP is in one member state and the payee in another. For e-commerce platforms selling into Europe from outside the EU, the directive tightens the conditions under which SCA exemptions — such as low-value transactions or trusted beneficiaries — can be applied.
What Strong Customer Authentication Requirements Are Expanding?
SCA under PSD3 is broader in two key ways. First, it now explicitly covers merchant-initiated transactions (MITs), such as recurring subscriptions and installment payments. Previously, MITs often relied on an initial SCA event followed by subsequent exemptions — PSD3 requires re-authentication at defined intervals or when transaction patterns deviate significantly.
Second, the trusted beneficiary list (whitelisting) mechanism is standardized across member states. Under PSD2, each country operated its own scheme. PSD3 mandates a unified EU-wide trusted beneficiary list, managed through the EBA, which reduces fragmentation for platforms serving multiple European markets.
| SCA Element | PSD2 Standard | PSD3 Standard |
|---|---|---|
| Merchant-Initiated Transactions | Exempt after initial auth | Periodic re-authentication required |
| Trusted Beneficiary Lists | National schemes, inconsistent | EU-wide standardized list via EBA |
| Low-Value Exemption Threshold | €30 cumulative / 5 transactions | Maintained but with tighter monitoring |
| Transaction Risk Analysis (TRA) | Optional, bank discretion | Mandatory real-time TRA for exemptions |
For businesses, the practical impact is higher authentication rates at checkout — which can depress conversion if not managed carefully. The counterbalance, as discussed in our guide on payment orchestration, is that smart routing can selectively apply SCA only when required, preserving frictionless checkout for low-risk transactions.
How Will Open Banking Evolve Under PSD3?
PSD3 transforms open banking from a market-opening initiative into a regulated utility. Banks are now required to maintain dedicated API interfaces with uptime guarantees (99.5% availability benchmark), response time limits (under 500ms for account information queries), and fallback mechanisms when APIs degrade.
For TPPs and the platforms that rely on them, this means more predictable integration — but also new obligations. Account information service providers (AISPs) must now demonstrate data minimization practices, and payment initiation service providers (PISPs) are required to implement Confirmation of Payee checks.
The business opportunity is significant: reliable open banking APIs reduce the dependency on card networks for intra-European payments, potentially lowering transaction costs by 40-60% compared to card-based settlement for high-value B2B transfers. For platforms processing European supplier payments, this opens a path to bypass traditional correspondent banking entirely, using open banking-initiated SEPA transfers with real-time confirmation.
What Fraud Prevention and Liability Changes Should Businesses Prepare For?
The most consequential PSD3 change for fraud liability is the extension to authorized push payment (APP) fraud. Under PSD2, liability for APP fraud — where a victim is tricked into authorizing a payment to a fraudster — fell almost entirely on the consumer. PSD3 introduces shared liability between the sending PSP and the receiving PSP, with the receiving PSP required to reimburse 50% of the loss when it failed to implement adequate fraud detection on incoming payments.
This creates a new operational requirement: PSPs processing inbound payments from European accounts must now verify payee identity, monitor for mule account patterns, and implement real-time transaction risk scoring — or accept financial liability for fraud that passes through their infrastructure.
Additionally, IBAN/name mismatch handling becomes a PSP responsibility. If a payment is executed despite a name mismatch after CoP verification, the PSP bears full liability for the resulting loss. For payment gateways and platforms handling cross-border e-commerce, this means integrating CoP verification into the payment flow is no longer optional.
How Do Non-Bank Payment Providers Benefit from PSD3?
PSD3 grants non-bank PSPs — including payment institutions and electronic money institutions — a direct right of access to designated payment systems, subject to risk-based safeguards. Under PSD2, access was largely at the discretion of national central banks, creating an uneven playing field where fintech companies in some EU countries could access settlement infrastructure while others could not.
Combined with the PSR's direct applicability, this provision enables non-bank payment providers to participate in SEPA settlement, TIPS instant payments, and potentially future CBDC-based payment rails without needing a banking license. For global payment gateways and fintech platforms, this lowers the barrier to offering European payment services directly rather than through banking partners.
However, access is not unconditional. Non-bank PSPs must meet capital requirements, risk management standards, and operational resilience criteria that align with those applied to traditional banks. The practical path for most platforms is through a licensed payment institution or via partnership with a provider that already holds the necessary permissions.
What Are the Most Common Misunderstandings About PSD3?
Myth 1: PSD3 only affects EU-based businesses. Any business that processes payments from European consumers or routes transactions through European banking infrastructure is impacted. This includes non-EU e-commerce platforms, SaaS companies with European customers, and global marketplaces with European sellers.
Myth 2: PSD3 compliance is just about updating terms and conditions. The directive mandates technical changes — CoP integration, expanded SCA flows, API performance monitoring, and fraud detection systems — that require engineering investment, not just legal review.
Myth 3: Non-bank PSPs can now operate exactly like banks. PSD3 grants access to payment systems but does not grant a banking license. Non-bank PSPs still cannot accept deposits or lend, and they remain subject to safeguarding requirements for customer funds.
Myth 4: SCA exemptions will keep checkout friction low. While exemptions remain, the conditions are tighter and enforcement is more consistent across member states. Platforms should plan for higher authentication rates and invest in UX that makes SCA as seamless as possible — biometric authentication and device-based recognition can mitigate the conversion impact.
Frequently Asked Questions
When does PSD3 take full effect?
The directive entered into force in 2024 with an 18-month transposition period for member states, meaning national implementations were due throughout 2025 and early 2026. The accompanying PSR applies directly without national transposition. Most provisions are now enforceable across the EU.
How does PSD3 affect businesses outside the EU?
If you process payments from EU consumers, use European PSPs, or route transactions through SEPA, PSD3's SCA, CoP, and fraud liability rules apply to those transaction flows. The geographic scope follows the transaction, not the merchant's location.
What is Confirmation of Payee and why does it matter?
CoP verifies that the IBAN and account holder name match before a payment is executed. Under PSD3, it is mandatory for SEPA credit transfers. For businesses making bulk payouts, CoP reduces misdirected payments but requires integrated name-matching infrastructure.
Can I use open banking instead of cards for European payments now?
Yes — and PSD3 makes it more reliable. With mandatory API uptime guarantees and standardized performance benchmarks, open banking-based payments are becoming a viable alternative to card rails, particularly for high-value B2B transfers where card interchange fees are significant.
What happens if my PSP is not PSD3 compliant?
Non-compliant PSPs face enforcement actions from national regulators and, under the PSR, directly from the EBA. More practically, non-compliant PSPs may lose API access to European banks, face increased fraud liability, and become unviable for European payment processing.
Where can I learn more about cross-border payment regulation?
Our analysis of the broader global payments structural shift covers how PSD3, CBDCs, and AI-driven compliance are converging to reshape the payment landscape.
PSD3 is not another incremental regulatory update — it is a structural shift in how payment authentication, fraud liability, and open banking are governed across the European Economic Area. For global businesses, the window for reactive compliance is closing. The platforms that treat PSD3 as an opportunity to optimize payment flows, reduce card dependency, and build fraud-resistant infrastructure will be best positioned as the regulatory framework matures.
For platforms navigating PSD3 compliance and cross-border payment infrastructure, WonderGate provides integrated payment services — including SEPA-ready processing, multi-currency settlement, and built-in Confirmation of Payee verification — to help global businesses stay compliant and competitive.