Nº02

February 2024

Preparing for PSD3  

Review the next steps as we enter a new era for payments in the EU

The European Commission has proposed a new Payment Services Directive (PSD3) to keep pace with the rapidly changing payments landscape.

Though specific deadlines remain unclear at this time, the European Parliament and European Council are reviewing the proposed changes and finalized versions may be available by late 2024 with an 18-month period of transition. Using that information to approximate a timeline, PSD3 is expected to replace the current PSD2 framework by 2026.  

Nabeel Moosa

VP of Strategy and Value Creation, Nexi Group

This article is a brief summary of what to expect from PSD3. We recommend reviewing the official documentation direct from the European Commission here.

Fully implemented by Jan 2021, PSD2 introduced significant changes to the way authentication happens for all payments across Europe (aka Strong Customer Authentication was introduced), as well as creating a whole new segment of payment services by mandating banks open up access to accounts. PSD3 seeks to create improvements in both SCA and Account Access, as well as ensure a level playing field across EU markets.

PSD3 like PSD2, will require changes across the payments value chain. Ensuring the ambitions of the directive are met, will require careful implementation plans and patient roll out from Banks, PSPs and Merchants.

The shift to PSD3 will bring a number of key changes, including:

  • A new Payment Services Regulation (PSR): PSD3 and the PSR will drive further updates to SCA rules, including more clarity on payments that are and are not covered by the rules. 
  • More extensive Strong Customer Authentication (SCA) regulations: PSD3 will require PSPs to implement SCA for all payments, regardless of the amount or channel used. This will help to reduce fraud and protect consumers. 
  • Stricter rules on access to payment systems and account information: PSD3 will give consumers more control over their data and make it easier for them to switch between PSPs. 

View from our expert:

Željka Perok

Senior Product Manager, Nexi Group

What to expect from PSD3?

PSD3, or Payment Services Directive 3, is an upcoming set of regulations for the payment services industry within the European Union (EU). It aims to build upon the success of PSD2, which was implemented in 2015, and address the challenges and opportunities posed by the evolving payments landscape. PSD2 and PSD3 are both directives aimed at modernizing and enhancing the EU payment services landscape. While they share some common objectives, there are several key differences between the two directives.

Scope

PSD2 primarily focuses on retail payments, covering online payments, card payments, and mobile payments. PSD3 expands this scope to encompass a wider range of payment services, including corporate payments, e-commerce payments, and cross-border payments. This broader scope reflects the growing complexity and diversity of payment transactions in the digital age.

SCA Requirements

PSD2 introduced Strong Customer Authentication (SCA) requirements for online payments, aiming to strengthen security against fraud and cyberattacks. PSD3 builds on this by strengthening SCA requirements and introducing new SCA methods. The goal is to ensure that authentication remains effective even as fraudsters adapt their tactics.

Enhanced Security

PSD3 introduces several enhancements to strengthen the security of electronic payments and reduce the risk of fraud. One of these enhancements is spoofing prevention. Spoofing is a type of cyberattack in which attackers pretend to be someone or something else to win a person’s trust in order to steal sensitive information, such as login credentials or payment details. PSD3 addresses spoofing by requiring payment service providers (PSPs) to follow and implement additional security measures related to stronger authentication methods, risk-based authentication and device fingerprinting. In addition to these measures, PSD3 also requires PSPs to implement other security measures, such as:

  • Encryption of payment data: Payment data must be encrypted throughout the payment process, from the point of entry to the point of authorization. This helps to protect the data from being intercepted and stolen by attackers.
  • Data masking: Payment data should be masked whenever it is not directly needed for authorization. This makes it more difficult for attackers to steal or misuse the data.
  • Vulnerability management: PSPs must have a robust vulnerability management program in place to identify and remediate security weaknesses in their systems. This helps to prevent attackers from exploiting vulnerabilities to gain access to payment data.
Access to Payment Data

PSD2 provided limited access to payment data for Account Information Service Providers, enabling consumers to share their transaction history and other relevant information with these third-party providers. PSD3 expands access to payment data for account information service providers, allowing them to gather more comprehensive and granular information. This expansion will enable account information service providers to offer a wider range of innovative financial services, such as budgeting tools, personalized financial advice, and fraud detection. PSD3 also seeks to strengthen the rights of non-bank PSPs by giving them a right to a bank account. This is intended to address the problem of banks refusing to open accounts for non-bank PSPs, which can make it difficult for them to operate. PSD3 is a positive step towards a more competitive and consumer-friendly payments industry. By leveling the playing field for non-bank PSPs, PSD3 is expected to lead to more innovation, lower prices, and better customer service for consumers.

Consumer rights protection

PSD3 is set to introduce several enhancements to protect consumer rights in the payments industry. These improvements are aimed at making payments more secure, transparent, and fair for consumers. It will require payment service providers (PSPs) to be more transparent about their fees, charges, and terms and conditions. This will make it easier for consumers to compare products and services, and it will help to prevent them from being misled or overcharged.

Innovation

PSD2 encouraged innovation in the retail payments space by creating a more competitive and dynamic market. PSD3 places a stronger focus on fostering innovation across the entire payments ecosystem, recognizing that innovation is crucial for adapting to evolving payment trends and consumer preferences. This includes promoting the development of new payment methods, such as open banking and real-time payments, and supporting the adoption of emerging technologies like artificial intelligence and blockchain. PSD3 is expected to make open banking a more secure, efficient, and user-friendly experience for consumers. This will foster innovation and competition in the financial services industry, ultimately leading to more choice and better value for consumers.

PSD3 is still in the early stages of development, with a finalized proposal expected in late 2024. The implementation of PSD3 is expected to be phased in over a three-year period, with the final deadline for compliance set for 2027. PSD2 has already had a positive impact on the EU payments landscape, making it more secure and convenient for consumers. PSD3 is expected to build on this success by further enhancing security, expanding access to payment data, and promoting innovation making the EU payments ecosystem more modern, efficient, and consumer-centric.

Impact on the payments industry 

PSD3 is expected to have a significant impact, specifically on Payment Services Providers (PSPs) as well as the payments industry as a whole, including: 

  • Increased competition: Between new and traditional payment methods will bring better UX on A2A and new use cases opened up.
  • Improved security: The SCA requirements for PSD3 will guard against fraudulent activity and scams more vigorously, making it safer for consumers. 
  • More choice and control for consumers: PSD3 will give consumers more trust in the ecosystem through a more standardised framework across all countries, and more direct enforcement for non-compliance.

What to do now 

Now is the time for businesses to get ahead of these changes and start preparing for PSD3. This includes reviewing SCA processes which are yet to be updated and making sure that they are compliant with the new requirements.  

PSPs should also develop a plan to implement the other changes required by PSD3, such as the new rules on access to payment systems and account information.

Consumers can also start preparing for PSD3 by learning more about their rights and how to protect their data. Consumers should also be aware of the potential changes to their payment experience, such as the existing SCA requirements and new updates that will follow.

“Overall, PSD3 is a positive development for the payments industry and consumers alike. It will help to make payments more secure, competitive, and consumer-friendly as e-commerce and financial technologies continue to evolve.”