The European Union's Third Payment Services Directive (PSD3) entered its implementation phase in 2026, marking the most significant overhaul of payment regulation since PSD2 reshaped the industry in 2018. For any business processing payments involving European consumers, merchants, or banking infrastructure, PSD3 is not a distant policy document — it is a compliance reality that affects authorization flows, fraud liability, and cross-border transaction economics.
Unlike PSD2, which focused primarily on opening bank data to third-party providers, PSD3 takes a broader approach: it tightens fraud prevention rules, expands open banking obligations, and creates a clearer path for non-bank payment providers to access core payment infrastructure. For global businesses, the practical implications touch everything from checkout conversion rates to multi-currency settlement architecture.
What Is PSD3 and How Does It Differ from PSD2?
PSD3 is the third iteration of the EU's Payment Services Directive, proposed by the European Commission in mid-2023 and adopted in 2024, with member state transposition deadlines falling throughout 2025 and 2026. It is accompanied by the Payment Services Regulation (PSR), a directly applicable regulation that does not require national transposition — giving the European Banking Authority (EBA) stronger centralized enforcement powers.
Where PSD2 introduced open banking and Strong Customer Authentication (SCA), PSD3 addresses the gaps that emerged during PSD2's implementation: inconsistent SCA enforcement across member states, rising authorized push payment (APP) fraud, and barriers that prevented non-bank payment service providers (PSPs) from competing on equal footing with traditional banks.
| Aspect | PSD2 (2018) | PSD3 (2026) |
|---|---|---|
| SCA Scope | Required for electronic payments within EEA | Expanded to include merchant-initiated transactions and cross-border refunds |
| Open Banking | Required APIs without fallback standards | Mandatory dedicated interfaces with performance benchmarks and fallback obligations |
| Fraud Liability | Limited to unauthorized transactions | Extended to APP fraud with shared liability between sending and receiving PSPs |
| Non-Bank Access | Limited, subject to national discretion | Explicit right of access to payment systems with safeguards |
| IBAN Verification | Not required | Mandatory Confirmation of Payee for all SEPA credit transfers |
| Enforcement | National regulators with varied interpretation | PSR provides direct EU-level enforcement via EBA |
How Does PSD3 Change Cross-Border Payment Processing?
For businesses operating across borders, three PSD3 changes have the most immediate operational impact.
Confirmation of Payee (CoP) becomes mandatory for all SEPA credit transfers, requiring IBAN and name matching before a payment is executed. For platforms that initiate bulk payouts to European suppliers, freelancers, or partners, this means integrating real-time name verification into the payment flow — or risk increased payment rejections and fraud liability.
Open banking API standards are now enforceable with specific performance requirements. Third-party providers (TPPs) that rely on bank APIs for account information or payment initiation must meet uptime and response time benchmarks. For cross-border platforms, this improves the reliability of open banking-based payment methods — but also requires testing integrations against the new standards.
Cross-border SCA application is no longer subject to national interpretation. PSD3 clarifies when SCA applies to transactions where the payer's PSP is in one member state and the payee in another. For e-commerce platforms selling into Europe from outside the EU, the directive tightens the conditions under which SCA exemptions — such as low-value transactions or trusted beneficiaries — can be applied.
What Strong Customer Authentication Requirements Are Expanding?
SCA under PSD3 is broader in two key ways. First, it now explicitly covers merchant-initiated transactions (MITs), such as recurring subscriptions and installment payments. Previously, MITs often relied on an initial SCA event followed by subsequent exemptions — PSD3 requires re-authentication at defined intervals or when transaction patterns deviate significantly.
Second, the trusted beneficiary list (whitelisting) mechanism is standardized across member states. Under PSD2, each country operated its own scheme. PSD3 mandates a unified EU-wide trusted beneficiary list, managed through the EBA, which reduces fragmentation for platforms serving multiple European markets.
| SCA Element | PSD2 Standard | PSD3 Standard |
|---|---|---|
| Merchant-Initiated Transactions | Exempt after initial auth | Periodic re-authentication required |
| Trusted Beneficiary Lists | National schemes, inconsistent | EU-wide standardized list via EBA |
| Low-Value Exemption Threshold | €30 cumulative / 5 transactions | Maintained but with tighter monitoring |
| Transaction Risk Analysis (TRA) | Optional, bank discretion | Mandatory real-time TRA for exemptions |
For businesses, the practical impact is higher authentication rates at checkout — which can depress conversion if not managed carefully. The counterbalance, as discussed in our guide on payment orchestration, is that smart routing can selectively apply SCA only when required, preserving frictionless checkout for low-risk transactions.
How Will Open Banking Evolve Under PSD3?
PSD3 transforms open banking from a market-opening initiative into a regulated utility. Banks are now required to maintain dedicated API interfaces with uptime guarantees (99.5% availability benchmark), response time limits (under 500ms for account information queries), and fallback mechanisms when APIs degrade.
For TPPs and the platforms that rely on them, this means more predictable integration — but also new obligations. Account information service providers (AISPs) must now demonstrate data minimization practices, and payment initiation service providers (PISPs) are required to implement Confirmation of Payee checks.
The business opportunity is significant: reliable open banking APIs reduce the dependency on card networks for intra-European payments, potentially lowering transaction costs by 40-60% compared to card-based settlement for high-value B2B transfers. For platforms processing European supplier payments, this opens a path to bypass traditional correspondent banking entirely, using open banking-initiated SEPA transfers with real-time confirmation.
What Fraud Prevention and Liability Changes Should Businesses Prepare For?
The most consequential PSD3 change for fraud liability is the extension to authorized push payment (APP) fraud. Under PSD2, liability for APP fraud — where a victim is tricked into authorizing a payment to a fraudster — fell almost entirely on the consumer. PSD3 introduces shared liability between the sending PSP and the receiving PSP, with the receiving PSP required to reimburse 50% of the loss when it failed to implement adequate fraud detection on incoming payments.
This creates a new operational requirement: PSPs processing inbound payments from European accounts must now verify payee identity, monitor for mule account patterns, and implement real-time transaction risk scoring — or accept financial liability for fraud that passes through their infrastructure.
Additionally, IBAN/name mismatch handling becomes a PSP responsibility. If a payment is executed despite a name mismatch after CoP verification, the PSP bears full liability for the resulting loss. For payment gateways and platforms handling cross-border e-commerce, this means integrating CoP verification into the payment flow is no longer optional.
How Do Non-Bank Payment Providers Benefit from PSD3?
PSD3 grants non-bank PSPs — including payment institutions and electronic money institutions — a direct right of access to designated payment systems, subject to risk-based safeguards. Under PSD2, access was largely at the discretion of national central banks, creating an uneven playing field where fintech companies in some EU countries could access settlement infrastructure while others could not.
Combined with the PSR's direct applicability, this provision enables non-bank payment providers to participate in SEPA settlement, TIPS instant payments, and potentially future CBDC-based payment rails without needing a banking license. For global payment gateways and fintech platforms, this lowers the barrier to offering European payment services directly rather than through banking partners.
However, access is not unconditional. Non-bank PSPs must meet capital requirements, risk management standards, and operational resilience criteria that align with those applied to traditional banks. The practical path for most platforms is through a licensed payment institution or via partnership with a provider that already holds the necessary permissions.
What Are the Most Common Misunderstandings About PSD3?
Myth 1: PSD3 only affects EU-based businesses. Any business that processes payments from European consumers or routes transactions through European banking infrastructure is impacted. This includes non-EU e-commerce platforms, SaaS companies with European customers, and global marketplaces with European sellers.
Myth 2: PSD3 compliance is just about updating terms and conditions. The directive mandates technical changes — CoP integration, expanded SCA flows, API performance monitoring, and fraud detection systems — that require engineering investment, not just legal review.
Myth 3: Non-bank PSPs can now operate exactly like banks. PSD3 grants access to payment systems but does not grant a banking license. Non-bank PSPs still cannot accept deposits or lend, and they remain subject to safeguarding requirements for customer funds.
Myth 4: SCA exemptions will keep checkout friction low. While exemptions remain, the conditions are tighter and enforcement is more consistent across member states. Platforms should plan for higher authentication rates and invest in UX that makes SCA as seamless as possible — biometric authentication and device-based recognition can mitigate the conversion impact.
📎 Related: Learn more about fraud prevention measures →
📎 Related: Learn more about international payment compliance →
📎 Related: Learn more about cross-border payment costs →
<Frequently Asked Questions
Q1: What is PSD3 and how does it differ from PSD2?
A: PSD3 (Payment Services Directive 3) is the EU's updated payment regulation, enhancing PSD2 with stronger open banking APIs, improved fraud prevention requirements, expanded consumer protections, and harmonized rules for cross-border payments within the EU.
Q2: How does PSD3 affect cross-border payment providers?
A: PSD3 requires payment providers to strengthen authentication, improve API performance and uptime, enhance fraud monitoring, and provide more transparent pricing. Non-EU providers serving EU customers must comply or risk losing market access.
Q3: When does PSD3 come into effect?
A: PSD3 is expected to be implemented between 2026-2027, with a transition period for existing PSD2 license holders. Payment providers should begin compliance preparations now, as the requirements are more extensive than PSD2.
