The Payment Services Directive 3 (PSD3) and the accompanying Payment Services Regulation (PSR) are significant advancements in the European Union’s efforts to modernize and secure the payments landscape. These regulatory frameworks build on the foundations laid by PSD1 and PSD2, reflecting the evolving needs and challenges in digital payments.

PSD3 aims to enhance consumer protection, improve competition, and bolster security across the payments industry. It introduces stricter regulations and broader scopes compared to its predecessors, addressing gaps and inconsistencies in previous implementations. The directive is designed to safeguard consumer rights and personal information while fostering a competitive environment that encourages innovation and the development of new financial services.

Enhanced Consumer Protection

One of the primary objectives of PSD3 is to strengthen consumer protection. This includes implementing more comprehensive rules on data sharing and fraud prevention. Businesses will need to share additional data with issuers, such as user location, transaction time, device usage, spending habits, transaction history, session data, and device IP. These measures aim to increase transaction approval rates by providing a clearer picture of which transactions to approve and which to decline. Additionally, under specific conditions, payment schemes and PSPs will be allowed to process personal data for fraud prevention without explicit user consent, provided the data is used solely for this purpose.

PSD3 also introduces a liability shift in cases of fraud. Payment schemes, technical service providers, and payment gateways will be held accountable if they fail to implement Strong Customer Authentication (SCA). This change is intended to protect consumers from technical malfunctions and encourage service providers to maintain high standards. Issuers will be responsible for fraud involving identity spoofing, ensuring they take necessary precautions to authenticate users securely.

Strong Customer Authentication (SCA)

The changes regarding SCA under PSD3 are significant. SCA must now cover a broader range of data points to ensure safer transactions. The directive allows for the use of two similar authentication factors, such as token and SMS OTP, which was not permitted under PSD2. This flexibility aims to simplify the authentication process without compromising security. Additionally, SCA delegation by issuers to third parties, such as Apple Pay, is now considered outsourcing and must comply with outsourcing rules. Adyen has developed a Delegated Authentication solution that allows issuers to delegate SCA without outsourcing it to third parties.

PSD3 includes exemptions for certain transactions. Merchant-initiated transactions (MIT), such as subscriptions, are excluded from SCA, with only the first transaction requiring authentication. This exemption also extends to card-based mail orders and telephone orders (MOTO transactions), which will benefit industries like travel. Regarding tokenization, SCA is required only if the cardholder initiates the transaction, such as during a card-on-file transaction or when initially enrolling a card in a digital wallet.

Access to Payment Systems and Account Information

The new regulation will significantly impact the existing Open Banking framework. Banks and financial institutions will be required to share detailed information about their API performance, including quarterly statistics on interface availability and performance. This transparency will help businesses make informed decisions about their payment processing partners. In cases of bank downtime or disruptions, banks must allow third-party providers to use their interfaces, ensuring continuity and efficiency in payment processes.

Additionally, banks are required to provide customers with a permission dashboard. This dashboard allows customers to manage and monitor the permissions granted to Account Information Service Providers (AISPs) conveniently. This measure aims to give consumers greater control over their financial data and enhance the overall user experience.

Exemptions for Transactions with Direct Carrier Billing (DCB)

The new Payment Services Regulation (PSR) specifies that certain types of payment transactions are not covered by the rules. As defined in PSD2, these exemptions apply to transactions managed by providers of electronic communications networks or services, as described below:

Payments for digital content and voice services: regardless of the device used to purchase or consume the content, if these costs are added to the related bill.

Payments made through or from an electronic device that are added to a related bill: these can be for charitable donations or for purchasing tickets.

The new limits for direct carrier billing specify that these transactions are exempt only if each transaction does not exceed 60 euros (up from the current 50 euros) and one of the following conditions is met:

The total amount of transactions of a single subscriber does not exceed 360 euros per month (up from the current 300 euros).

If a subscriber has prepaid their account, the total amount of their transactions must not exceed 360 euros per month (up from the current 300 euros).

PSD3 requires that Member States mandate service providers conducting the aforementioned activities to notify the competent authorities. These service providers must also submit an annual audit document to demonstrate compliance with the transaction limits specified in the new PSR.

Future Implications

The implementation timeline for PSD3 and PSR is still unclear, with finalized versions expected by late 2024. Member states typically receive an 18-month transition period, suggesting that PSD3 and PSR could come into effect around 2026. These regulations are set to provide consumers with safer and more secure ways to make electronic payments and transactions within the EU, both domestically and cross-border, in euro and non-euro currencies.

PSD3 and PSR represent significant steps towards modernizing the EU’s payment services framework. By addressing current challenges and leveraging technological advancements, these regulations aim to enhance security, improve consumer protection, and foster a competitive environment that supports innovation. The changes introduced by PSD3 will have wide-ranging impacts on consumers, businesses, and the payments industry, setting a new standard for digital payments in the EU.