Resource center
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Topic
Region
Perspectives

An updated guide to PSD3 and PSR for merchants

PSD3 and PSR will reshape EU payments, strengthening fraud prevention, authentication, and consumer protections. This article explains what’s changing, when it applies, and how you can prepare.

Link to the author's page
Rami Josef
January 29, 2026
Link to the author's page
An updated guide to PSD3 and PSR for merchants

On June 28 2023, the European Commission presented two sets of proposals to modernize the current Payment Services Directive (PSD2) as part of a broader push for digital transformation in the financial sector: PSD3 and Payment Services Regulation (PSR)

Fast forward to December 2025, and the European Parliament and Council agreed to those proposed changes. The texts are still awaiting formal adoption by the Parliament and Council. 

Both sets of proposals prioritize trust, security, and the interests of consumers. Together, they aim to strengthen consumer protection and foster competition within electronic payments, enabling consumers to securely share their data and access a wider selection of improved and more affordable financial products and services.

At the same time, PSD3 aims to level the playing field by making sure electronic money institutions (EMIs) and payment institutions (PIs) have access to payment systems and bank accounts. 

The update to the Payment Services Directive consists of the following measures, as summarized by the European Commission:

  • Combat and mitigate payment fraud
  • Improve consumer rights and control over their payment data, strengthening user protection and confidence in payments 
  • Level the playing field between banks and non-banks by improving access to EU payment systems and bank accounts for non-bank payment service providers (PSPs)
  • Improve the competitiveness of open banking services by removing obstacles 
  • Boost access to cash in shops via ATMs
  • Strengthen harmonization and enforcement by ensuring appropriate penalties

If you’re a merchant taking digital payments in Europe, what do these measures mean for your business?

We’ll look at PSD3’s top areas of impact, covering how the legislation is set to impact fraud prevention, customer refunds rights, and the responsibilities of PSPs. We’ll end with some practical advice on how to prepare for the changes.

What is PSD3?

The third edition of the Payment Services Directive came about after a review of PSD2. As such, PSD3 is an updated set of rules for PSPs such as Checkout.com. At the moment, it’s a proposed piece of legislation that is in the process of becoming law in the EU. The measures are not expected to come into force until 2027.

Timeline of PSD3

So when will the industry feel the impact of PSD3? Here’s an overview of the timeline so far: 

June 2023 – The European Commission proposed PSD3 and PSR, which included the following:

  • Merging the e-money regime into PSD3
  • Establishing the PSR to ensure business conduct rules apply directly throughout the EU
  • Extending payee verification to all credit transfers and changing SCA rules 

But the way the EU legislative process works is that the European Council, Commission, and Parliament all have to agree and negotiate with member states. 

April 2024 – The European Parliament adopted its position.

June 2025 – The European Council adopted its position, and the European Parliament and Council received their mandate to begin talks to negotiate the legislation. 

November 2025 – The Parliament and Council agreed changes to the legislation, which will now undergo the usual EU legislative process, with formal adoption expected to come in 2027. The agreed text will start to apply once this process and the following transition period (expected to be around 21 months) have ended – likely in 2027. 

Which businesses are in the scope of PSD3?

PSD3 applies to payment services provided by banks, PSPs, and technical service providers supporting payment services, as well as other payment institutions within the EU/ EEA. 

What is the geographical scope of PSD3?

PSD3 covers all EU member states, and all European Economic Area (EEA) countries. It will not automatically apply to the UK. 

PSD3 vs PSR

The updated PSD2 rules are being split into two parts: PSD3 and PSR. 

PSD3 is a directive that focuses on how payment companies are licensed and supervised. Because it’s a directive, each EU country has to write it into their own national laws before it takes effect. 

PSR, on the other hand, is a regulation. It includes rules about security, Strong Customer Authentication (SCA), and how PSPs must operate. Regulations apply immediately and automatically in every EU country – no need for each country to create its own version.

Both PSD3 and the PSR will join together to strengthen consumer protection, boost transparency and accessibility, and close the gaps left by PSD2. 

PSD2 vs PSD3

PSD2 was first introduced in 2015 to transform the EU payment market by strengthening consumer protection, fostering innovation, and establishing fair competition among PSPs. It put tighter security requirements for online protocols in place. 

However, as the payments industry changed quickly – with new technology, new players, and new types of fraud – there was a growing need for the directive to expand its scope. 

That’s why PSD3 was proposed by the European Commission in 2023. It’s an updated version of PSD2 that reflects the needs of the payments industry today, designed to fix PSD2’s gaps. 

One key change is giving more non-bank PSPs the ability to access key payment systems and bank accounts directly, supported by clearer rules and safeguards to prevet unjustified refusals. Previously, non-bank PSPs didn’t always have the same access as bank PSPs, which limited fair competition and innovation. 

This harmonization is treated as a priority: EU member states will be required to implement these updated access provisions into national law within six months of the directive’s final publication. 

Because PSD3 builds on PSD2, it shares many of the same focus areas – modern fraud types, how customer data is handled, fair access to financial systems for different kinds of payment providers, and authentication rules. And since PSD3 (along with the PSR) will apply more consistently across all EU countries, it reduces the chances of each country to interpret things differently. 

There are some significant shifts in liability for fraud, the need to ensure payment authentication is accessible, plus a time limit on payment dispute resolution for customers. 

Another change is that payment institutions will be allowed to issue e-money. Under PSD2, payment institutions and e-money institutions hold separate licenses: e-money institutions can issue e-money and provide payment services, while payment institutions can only provide payment services. PSD3 proposes to combine the frameworks so that e-money institutions become a category of payment institution, with stricter requirements for providers that issue e-money.

Authentication and fraud detection

Digital technology has advanced significantly since PSD2 was first rolled out in 2015. As fraud becomes more dynamic and sophisticated, PSD3 mandates better detection and protection. 

Fortunately, EU regulators are including some of the benefits of new technology to improve user experience in authentication

In particular, PSD3 supports a broader approach to fraud detection – one that allows risk to be assessed earlier in the customer journey and enables authentication to adapt to the situation. 

This means fraud can increasingly be detected before the point of payment, using behavioral analysis and contextual signals rather than relying solely on step-up challenges. This could help to reduce your business’s financial losses from ecommerce fraud, which is set to hit $91 billion for merchants in 2028 (up from $38 billion in 2023).

Two of the major points on this theme are:

  • Behavioral analysis to calculate fraud risk. This involves comparing user behavior on an ecommerce site to their typical activity. For instance, looking at how the user interacts with website features such as the search bar, their typing speed, and which payment methods they use. These factors can feed into fraud score calculation.

  • Improving user accessibility. Changes to SCA rules aim to ensure customers without smartphones (or access to biometric verification) can still pay online. With PSD2, customers needed two authentication factors from different categories: something you have, something you are, and something you know. However, PSD3 allows both factors to come from the same category – for example, two pieces of memorized information could be used instead of requiring a phone. 

The legislative proposal calls out “an obligation on PSPs to improve accessibility of SCA for users with disabilities, older people, and other people facing challenges regarding the use of SCA”. Although accessibility may have seemed more of a nice-to-have in the past decade, it’s becoming an essential part of how digital payments in Europe must work from now on.

Taken together, these changes reinforce a clear message: future-proof authentication must be adaptive, accessible, and data-driven. Providers that offer multiple authentication experiences within a single framework are better positioned to support PSD3’s focus on accessibility and user-experience – while protecting conversion and security, like Checkout.com’s Authentication product. 

Refund rights for customers

As fraud is evolving, the European Commission seeks to ensure customers are not financially liable in unfair circumstances. That means they’re strengthening the conditions under which customers are entitled to a refund, in the event of fraud.

Here are two key examples:

Spoofing fraud attacks

Customers who lose money to “spoofing” fraud attacks – where a fraudster impersonates a bank employee to trick them into harmful actions – will be able to reclaim the funds from their PSP. This applies only if certain conditions are met, such as promptly notifying the PSP and filing a police report.

IBAN and name verification service

To help ensure payee details are entered correctly, PSD3 will introduce a mandatory system to check a payee’s IBAN (international bank account number) matches the account name for all credit transfers. It must be provided free of charge to consumers. If the system fails and the consumer suffers damages, then they are entitled to a refund in certain circumstances.

Harmonized enforcement and shifting liability

PSD3 will see penalties and harmonized enforcement measures for payment service providers that fail to meet fraud prevention standards. This includes fines for non-compliance with fraud prevention regulations and guidelines.

With its focus on customer rights within payment services, PSD3 will shift the balance of fraud liability away from customers and onto PSPs. 

Increased transparency for customers on their payments data

A range of PSD3 provisions aim to improve the customer experience of payments and how customer data is handled by financial institutions. Here are some of the main highlights:

  • Customer awareness programs. PSPs will be required to implement educational programs to raise consumer awareness about fraud risks, phishing attacks, and safe payment practices.

  • Credit card statement transparency. Sometimes it’s hard to remember exactly where and when you made transactions that appear on your financial statement. To mitigate this, your credit card statement or your bank statement will show the name of the merchant that you made a purchase from (instead of a third-party company, which sometimes happens now).

  • Improved dispute resolution processes. Regulators believe dispute resolution processes are too varied and don't put the customer’s needs at the center. New mechanisms will simplify the dispute resolution process for victims of fraud, making it easier to recover funds. Also, disputes (including chargebacks) must be resolved within 14 days.

What does PSD3 mean for the global payments industry?

PSD3 sets the stage for other regulations to follow around the world. The EU has been setting the standard for some time, and the question increasingly isn’t if regulators will adopt a model similar to PSD3, but when. As Europe tightens its rules, regulators in other regions and countries are already implementing similar measures and adopting similar frameworks. Singapore’s Payment Services Act is a prime example. 

How can merchants prepare for PSD3?

Although 2027 feels far away, you should look at your payments and data systems now to ensure they are ready to become compliant. Mid-market organizations looking to expand into Europe will need to stay abreast of changes to payment regulations, data handling rules, and customers’ legal rights. 

Stay agile

With so much happening in this area, staying agile is essential. Build flexible operations and processes now so your infrastructure can handle quick shifts as regulations evolve. Adaptability is your greatest asset because the changes will keep coming. Resilience is key to confidently absorbing the impact of whatever direction regulators take next. 

Invest in tech readiness

Tech readiness is an essential ingredient. From fraud detection to authentication, investing in the right tech today means meeting regulatory demands and avoiding penalties tomorrow. One of PSD3’s key aims is strengthening enforcement and application of appropriate penalties for non-compliance. 

And penalties don’t just mean fines and chargebacks – they also show up as cart abandonment from harder checkout, higher fraud losses, and rising operating costs. 

Having the tech that meets regulatory requirements and delivers a smooth checkout experience will pay off long term. You need a future-focused PSP that designs its services with both compliance and customer experience in mind. 

Leverage partnerships 

Strong partnerships with PSPs and compliance experts are key to staying ahead of regulatory changes. Every party is interconnected. The right partners not only understand the road ahead, but also use it to improve the customer experience. Preventing fraud, approving only legitimate transactions, and staying ahead of the curve are table stakes – and at Checkout.com, that’s our priority. 

Prepare for PSD3 with Checkout.com

Regulators and PSPs want the same thing: a trusted space for merchants and for their customers, with secure data transmission and convenient payments. At Checkout.com, our Legal, Information Security, and Product Development teams work together to provide an industry-leading client experience. Don't be afraid to expect more from your payment technology partners.

The right solution balances security and convenience. You can comply with PSD3 without compromising the user experience by implementing real-time, multi-layered risk scoring across all customer touchpoints. 

Checkout.com’s Authentication supports multiple authentication experiences through a single integration, dynamically routing payments to get the best acceptance rates – powered by machine learning trained on billions of transactions. It enables convenient authentication methods such as device biometrics to speed up your checkout and reduce cart abandonment. This flexibility aligns with PSD3’s accessibility goals: ensuring different customers can authenticate successfully. 

Fraud Detection Pro also uses advanced machine learning to detect the latest fraud trends based on our network data, helping your business keep pace with emerging fraud. You’ll get accurate risk scoring with the option to customize settings around your business goals. 

Want to know more about PSD3 and PSR and how it may impact your business? Reach out to our team of experts.

Download PDF

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button

Most recent articles

Top 9 payment trends for 2026
Blog
Jan 27, 2026

Top 9 payment trends for 2026

Read article
How to pay suppliers easily: Key webinar takeaways
Blog
Jan 19, 2026

How to pay suppliers easily: Key webinar takeaways

Read article
Instant Access: Unveiling the Magic of Push Provisioning
Blog
Jan 19, 2026

Instant Access: Unveiling the Magic of Push Provisioning

Read article
What is card program management?
Blog
Jan 19, 2026

What is card program management?

Read article
How and why to launch a card program
Blog
Jan 19, 2026

How and why to launch a card program

Read article
Virtual card issuing for travel: How to transform your B2B payments
Blog
Jan 19, 2026

Virtual card issuing for travel: How to transform your B2B payments

Read article
Mobile-first card issuing: 5 steps to create your mobile app
Blog
Jan 19, 2026

Mobile-first card issuing: 5 steps to create your mobile app

Read article
Stablecoins in the real world: The regulatory landscape
Blog
Jan 19, 2026

Stablecoins in the real world: The regulatory landscape

Read article
Introducing Issuing: Launch a card-issuing program without the issues
Blog
Jan 19, 2026

Introducing Issuing: Launch a card-issuing program without the issues

Read article
Virtual cards explained: Benefits & use cases for businesses
Blog
Jan 14, 2026

Virtual cards explained: Benefits & use cases for businesses

Read article
OpenAI’s ACP and Google’s UCP: What’s the difference?
Blog
Jan 11, 2026

OpenAI’s ACP and Google’s UCP: What’s the difference?

Read article
What is BIN sponsorship?
Blog
Jan 9, 2026

What is BIN sponsorship?

Read article
Return to home
January 29, 2026 17:30
January 29, 2026 17:30