BLOG • Payments
PSD3: what is it and what is the difference with PSD2?
DISCOVER MORE OF WHAT MATTERS TO YOU
The European Commission is updating its regulations for the payment services industry and, with its third Payment Services Directive (PSD3) expected in late 2024, merchants, banks, fintechs, card networks, and payment processors are prepping for both the additional work and opportunities it will bring.
PSD3, at a glance:
- PSD3 is a set of rules for the payment services industry issued by the European Commission that builds on its previous directives, PSD2 (issued in 2015) and PSD1 (issued in 2007).
- The goals of the European Commission’s Payment Service Directives are to protect consumers and facilitate a more secure, integrated, competitive, and efficient EU payments market.
- PSD3 expands on the framework of PSD2, specifically in the areas of fraud prevention, open banking, data access, consumer rights, cash availability, and fair competition.
What is PSD3?
PSD3 is a third Payment Services Directive from the European Commission that’s expected to be released in late 2024. It’s a set of regulations for the payment industry designed to further enhance and build on the goals of previous directives, PSD1 issued in 2007 and PSD2 issued in 2015.
The central goal of the European Commission’s payment services directives is to develop and maintain a single payment services market for the EU that provides the same level of consumer protection, efficiency, and innovation across all of its member states. These regulations seek to make cross-border payments as streamlined and secure as domestic payments by standardising the laws for electronic payments and fostering an environment that facilitates competition and innovation. Whereas PSD1 sought to create this single market, PSD2 and the soon-to-be PSD3 seek to enhance it with protections for consumers, merchants, and payment service providers that meet the demands of the modern financial services landscape.
Key components of PSD3
Enhanced SCA requirements
When evaluating the impact of PSD2, the European Commission found its fraud-prevention regulations, specifically its Strong Customer Authentication (SCA) requirements, to be one of the most successful components of the directive. The SCA requirements add an extra layer of security to the payment process by requiring consumers to provide at least two pieces of identifying information during the payment process. This information must belong to two of the following categories:
- Something the customer KNOWS (e.g., a PIN or password)
- Something the customer HAS (e.g., a card reader or mobile phone)
- Something the customer IS (e.g., face or fingerprint recognition)
Some of the main ways in which PSD3 will expand its SCA requirements from PSD2 include:
- Clarifying when certain transactions may be exempt from SCA
- Requiring SCA for mobile wallet enrollments
- Requiring payment service providers to offer SCA methods that don't rely solely on one technology, ensuring accessibility for all users (e.g., elderly users, low-income users, etc.)
“Spoofing” fraud prevention
The European Commission has highlighted impersonation fraud, also known as “spoofing,” as an area in which PSD2 is not sufficiently equipped. This type of fraud is more challenging to prevent, as the customer, having been manipulated by the fraudster, does in fact provide their consent to authorise a payment. Since spoofing and social engineering scams take advantage of reasonable human error, it’s difficult for automated fraud-prevention systems to detect and prevent them.
With PSD3, the European Commission plans to enhance requirements for spoofing detection and prevention in the following ways:
- Using IBAN/name check for all credit transfers, requiring the bank to verify the account name matches the IBAN linked to that name
- Strengthening transaction monitoring measures to highlight unusual, potentially fraudulent payment activity
- Providing a legal framework for payment service providers to share information on fraud, such as data related to ongoing scams
- Requiring payment service providers to thoroughly educate their staff and customers on payment fraud prevention
Fair competition for non-bank PSPs
Non-bank payment service providers, such as payment institutions (PIs) and e-money institutions (EMIs) have become more popular during the PSD2 era, but a lack of legislation around fair competition has prevented many from accessing the critical banking services and payment infrastructures they need to operate. For example, commercial banks often refuse to let PIs and EMIs open bank accounts, or they close their accounts with little warning, citing vague concerns over anti-money-laundering rules. The current environment puts non-bank payment service providers at the mercy of commercial banks despite being their direct competitors.
To solve these issues, PSD3 will require banks to provide much stronger justification for refusing services to payment service providers. If a bank does deny a payment service provider critical banking services or decides to close its account, the PSP will be able to appeal the decision to its national authority. These updates will help level the playing field for non-bank PSPs by allowing them to compete more fairly with traditional banks.
Improvements to open banking
PSD3 will build on PSD2’s framework for “open banking,” wherein third-party providers can access a consenting customer’s banking and payment account data in order to provide valuable services, such as spending summaries, budgeting tools, and targeted financial products.
The goal of PSD3 in regard to open banking is to improve the functionality of data sharing between banks and third parties without disrupting the existing infrastructure or increasing costs. In addition to laying out stricter rules for data access interfaces, PSD3 is expected to make the following specific changes to its open banking requirements:
- Removing the need for banks to maintain two data access interfaces (having a “fall-back” interface will no longer be required).
- Requiring banks and payment account providers to have a consumer dashboard tool that allows customers to see which companies have access to their data and makes it easy for them to revoke access if needed.
Greater consumer rights
Protecting consumers, and standardising consumer protections across Europe, has long been a goal of the European Commission. PSD3 will build on previous directives to further enhance the rights of EU consumers in a number of ways, including:
Improved communication and clarity regarding currency conversion charges
PSD3 will require payment service providers to inform customers of estimated currency conversion charges for credit transfers and money remittances to countries outside the EU, as well as the estimated time it will take for the funds to be received by the payee.
The goal of this initiative is to give customers more tools for comparing currency conversion rates and international transfer fees so that they can make informed decisions when choosing a payment service provider.
Clearer payee info in payment account statements
Under PSD2, it isn’t specified whether the legal name or commercial name of a payee should appear on the customer’s account statements. As a result, consumers often don’t recognise the name of a legitimate payee and wrongly suspect fraud, leading to unnecssary hassle and confusion. PSD3 will fix this by requiring payment service providers to clearly identify payees, including listing their commercial trade name if applicable.
More transparency with ATM charges
Under PSD3, payment service providers must disclose to users information on fees charged by all ATM operators in their member states. This will allow consumers to understand upfront which costs they’ll incur before choosing an ATM from which to withdraw funds.
Greater protection for temporarily held or “blocked” funds
Certain types of merchants, such as petrol stations, hotels, and car rental companies, temporarily hold funds to cover expected costs or potential damages. Although this is a common practice in these industries, the European Commission has pointed out that the amount of money held is often disproportionately high compared to the actual, final transaction amount, and the process of returning the held funds to the customer can be lengthy and needlessly complicated. PSD3 will put into place rules to ensure a speedier pay-out of unused “blocked” funds and that the held funds are more proportionate to the final transaction amount.
More cash availability
With PSD3, the European Commission is hoping to give consumers more opportunities to withdraw cash by making it easier for merchants and ATM operators to provide cash withdrawal services. There are two main ways in which PSD3 will increase the availability of cash for consumers:
1. Purchase-free “cashback” at brick-and-mortar shops
In the current market, retailers, such as supermarkets, are able to offer customers “cashback” as part of a purchase of goods or services. PSD3 will update the current regulations so that retailers can offer customers this cash withdrawal service outside of a traditional purchase transaction. In other words, customers won’t need to buy anything from the shop but can simply request cash directly from the cashier using their payment card or mobile wallet. Certain restrictions will remain, such as a €50 withdrawal limit, so as to fairly compete with ATMs and to not empty the onsite cash stores of brick-and-mortar merchants.
2. More ATMs
Under PSD2, certain ATM operators (those that don’t service payment accounts) are allowed to operate without a license. However, there’s limited awareness of this within the industry. PSD3 will make these exemptions clearer to encourage higher numbers of ATMs across the EU, particularly in areas where there are few or no ATMs available.
PSD2 vs PSD3
Banks, payment service providers, and all organisations affected by the European Commission's Payment Services Directives can view PSD3 as an extension of PSD2, rather than a significant disruption to the existing payment services infrastructure in Europe.
In many cases, the new regulations expected to come out of PSD3 are enhancements to existing requirements and do not require any extensive rebuilding of payment infrastructures or costly integrations of new technologies. Instead, PSD3 looks to build on the success of PSD2’s regulations and offer simple solutions to cover areas overlooked or underserved by PSD2.
The key differences between PSD2 and PSD3 are:
- Stronger SCA requirements
- Enhanced fraud protection, particularly in regard to “spoofing”
- Improved data sharing to facilitate more efficient, valuable “open banking” frameworks
- More rights for consumers in regard to transparency and communication, payment charges, statements, and held funds
PSD3 is designed to improve the payment services industry for all parties involved—merchants, banks, payment service providers, fintechs, card networks, and, most importantly, consumers. It’s expected to usher in a new era of transparency, security, and consumer protection that further establishes the EU as a global leader in financial service regulation and innovation.
How long do companies have to implement PSD3 requirements?
The final version of PSD3 is expected to be released in late 2024. If granted an 18-month transition period, as was the case with previous directives, then PSD3 will go into effect at some point in 2026.
What’s the difference between PSD3 and PCI DSS?
PSD3 is a legal framework issued by the European Commission for regulating the payment services industry and harmonising payment services for a single, EU market. The rules and requirements established by these directives are part of European law and failure to comply with them has legal consequences.
PCI DSS (Payment Card Industry Data Security Standard) is a set of global standards issued by the PCI Security Standards Council that primarily focuses on card payment security. It’s enforced by the card networks and, although linked with certain laws across the globe, PCI DSS itself is not a law.
In short, PSD3 has a broader scope than PCI DSS, it applies only to the European Union member states, and it contains explicit laws. PCI DSS deals only with card payment security, it is not a law but an industry standard, and it applies globally.
Why is PSD3 needed?
PSD3 is needed because, as consumer habits change and payment technology advances, the law must adapt to meet the demands of both consumers and merchants across the EU. PSD3 will revise and enhance the requirements of PSD2 to protect consumers from new types of fraud and patch up security weak points. It will enhance frameworks for data sharing and help ensure both traditional and non-traditional financial service institutions can compete fairly.
What are the penalties for not complying with PSD3?
As with its predecessors PSD2 and PSD1, PSD3 is law. Failure to comply with PSD3 will result in fines and the potential loss of licensing for the offending institution. The nature of the penalty will vary depending on the type of compliance breach and its severity. The European Commission’s Payment Service Directives are overseen and enforced by the “competent authority” in the member state where the offence is committed.