What to expect from PSD3?
PSD3, or Payment Services Directive 3, is an upcoming set of regulations for the payment services industry within the European Union (EU). It aims to build upon the success of PSD2, which was implemented in 2015, and address the challenges and opportunities posed by the evolving payments landscape. PSD2 and PSD3 are both directives aimed at modernizing and enhancing the EU payment services landscape. While they share some common objectives, there are several key differences between the two directives.
Scope
PSD2 primarily focuses on retail payments, covering online payments, card payments, and mobile payments. PSD3 expands this scope to encompass a wider range of payment services, including corporate payments, e-commerce payments, and cross-border payments. This broader scope reflects the growing complexity and diversity of payment transactions in the digital age.
SCA Requirements
PSD2 introduced Strong Customer Authentication (SCA) requirements for online payments, aiming to strengthen security against fraud and cyberattacks. PSD3 builds on this by strengthening SCA requirements and introducing new SCA methods. The goal is to ensure that authentication remains effective even as fraudsters adapt their tactics.
Enhanced Security
PSD3 introduces several enhancements to strengthen the security of electronic payments and reduce the risk of fraud. One of these enhancements is spoofing prevention. Spoofing is a type of cyberattack in which attackers pretend to be someone or something else to win a person’s trust in order to steal sensitive information, such as login credentials or payment details. PSD3 addresses spoofing by requiring payment service providers (PSPs) to follow and implement additional security measures related to stronger authentication methods, risk-based authentication and device fingerprinting. In addition to these measures, PSD3 also requires PSPs to implement other security measures, such as:
- Encryption of payment data: Payment data must be encrypted throughout the payment process, from the point of entry to the point of authorization. This helps to protect the data from being intercepted and stolen by attackers.
- Data masking: Payment data should be masked whenever it is not directly needed for authorization. This makes it more difficult for attackers to steal or misuse the data.
- Vulnerability management: PSPs must have a robust vulnerability management program in place to identify and remediate security weaknesses in their systems. This helps to prevent attackers from exploiting vulnerabilities to gain access to payment data.
Access to Payment Data
PSD2 provided limited access to payment data for Account Information Service Providers, enabling consumers to share their transaction history and other relevant information with these third-party providers. PSD3 expands access to payment data for account information service providers, allowing them to gather more comprehensive and granular information. This expansion will enable account information service providers to offer a wider range of innovative financial services, such as budgeting tools, personalized financial advice, and fraud detection. PSD3 also seeks to strengthen the rights of non-bank PSPs by giving them a right to a bank account. This is intended to address the problem of banks refusing to open accounts for non-bank PSPs, which can make it difficult for them to operate. PSD3 is a positive step towards a more competitive and consumer-friendly payments industry. By leveling the playing field for non-bank PSPs, PSD3 is expected to lead to more innovation, lower prices, and better customer service for consumers.
Consumer rights protection
PSD3 is set to introduce several enhancements to protect consumer rights in the payments industry. These improvements are aimed at making payments more secure, transparent, and fair for consumers. It will require payment service providers (PSPs) to be more transparent about their fees, charges, and terms and conditions. This will make it easier for consumers to compare products and services, and it will help to prevent them from being misled or overcharged.
Innovation
PSD2 encouraged innovation in the retail payments space by creating a more competitive and dynamic market. PSD3 places a stronger focus on fostering innovation across the entire payments ecosystem, recognizing that innovation is crucial for adapting to evolving payment trends and consumer preferences. This includes promoting the development of new payment methods, such as open banking and real-time payments, and supporting the adoption of emerging technologies like artificial intelligence and blockchain. PSD3 is expected to make open banking a more secure, efficient, and user-friendly experience for consumers. This will foster innovation and competition in the financial services industry, ultimately leading to more choice and better value for consumers.
PSD3 is still in the early stages of development, with a finalized proposal expected in late 2024. The implementation of PSD3 is expected to be phased in over a three-year period, with the final deadline for compliance set for 2027. PSD2 has already had a positive impact on the EU payments landscape, making it more secure and convenient for consumers. PSD3 is expected to build on this success by further enhancing security, expanding access to payment data, and promoting innovation making the EU payments ecosystem more modern, efficient, and consumer-centric.