The European payments landscape is undergoing a significant transformation with the introduction of Payment Services Directive 3 (PSD3) and The Payment Services Regulation, the latest update to their predecessor, PSD2.
This new directive for electronic payments and financial services in the EU is expected to revolutionize the whole industry by changing the way merchants operate.
Evolution of Payment Services Directives
The first Payment Services Directive (PSD1) was introduced in 2007 to create a unified payments market in the EU. In 2015, the second Payment Services Directive (PSD2) was launched to regulate all types of payments within the EU, regardless of currency or whether they are domestic or international.
PSD2 was designed to:
- Improve consumer protection and security
- Remove barriers to new payment services
- Create a fair environment for both new and established providers
It also aimed to give more payment options to consumers and merchants and make it easier for payment services to be used across borders.
In 2022, the European Commission evaluated PSD2 and proposed changes to enhance charges, scope, thresholds, and accessibility, aiming to improve user experience and convenience.
Understanding PSD3 and PSR
PSD3 and PSR update PSD2 to make electronic payments more efficient and secure while encouraging competition and innovation in the financial industry. PSD3 and PSR are the evolution of PSD2, with the purpose of further harmonizing the payment market and decreasing the space for national variation.
Key features of PSD3 and PSR include:
- More robust Strong Customer Authentication (SCA) regulations
- Stricter rules on accessing payment systems and account information
- Enhanced consumer protection through the accompanying Payment Services Regulation (PSR)
- The main goals are to safeguard consumers’ rights and personal information and to foster a more competitive payments industry.
- Harmonize the EU payments market.
While the exact timeline for PSD3 and PSR implementation isn’t confirmed, finalized versions are expected by late 2024 or early 2025. Afterward, there will likely be an 18-month transition period, meaning the new regulations could take effect around 2026.
PSD3 addresses inconsistencies in PSD2’s implementation and expands its scope, making it better suited for the current payments landscape. It covers transparency, liability, and open banking, with stricter SCA regulations and tighter rules around payment systems and account information access, which are crucial for protecting transactions and preventing payment fraud.
So, how will PSD3 impact the payments industry?
Strong Customer Authentication
PSD3 (Payment Services Directive 3) introduces important changes to Strong Customer Authentication (SCA) to provide consumers with safer buying experiences.
Key changes include:
- Businesses must share more data with banks that issue payment cards, such as the user’s location, transaction timing, and typical spending habits.
- This additional data helps issuing banks make better decisions about whether to approve a transaction, reducing fraud risk.
Also, an interesting aspect of the new PSR is that it allows companies to use personal data for fraud prevention without explicit user consent, as long as they comply with the General Data Protection Regulation (GDPR) rules.
This means companies can use data like location and spending habits to detect potential fraud, even without explicit permission from users. They must still adhere to all relevant data protection rules, but this change aims to make online transactions more secure for everyone.
Fraud Prevention
The proposed changes in regulations concerning fraud liability suggest a shift in responsibility to the parties involved in payment processes. This includes card schemes, technical service providers, and payment gateways, who will be held accountable for any fraudulent activities if they fail to apply SCA (Strong Customer Authentication).
This shift ensures that customers are protected from any technical malfunctions and motivates providers to maintain high-quality services.
Moreover, issuers could also be held liable for spoofing fraud, which occurs when a fraudster impersonates a bank employee to trick the user into authenticating the payment.
However, if the customer acts fraudulently or with gross negligence, they will remain liable.
Authentication
PSD2 requires that two of the following three SCA factors be used for authentication: something the user knows, something they possess, or something inherent to them.
With the new PSR, it’ll be possible to use two factors from the same category, such as using a token and an SMS one-time password or even two passwords.
Additionally, it’s important to note that if an issuer delegates the authentication process to a third party, it’s considered outsourcing and must comply with outsourcing rules to ensure the cardholder’s identity is properly authenticated.
Exemptions For MITs
The so-called merchant-initiated transactions (MIT) will no longer be required to go through Strong Customer Authentication (SCA) after the initial transaction. This means that only the first transaction will require SCA.
Moreover, MITs will benefit from the 8-week unconditional refund right similar to the refund policy found in SEPA Direct Debits.
Accessibility
Under the new PSR, Strong Customer Authentication (SCA) must be accessible to vulnerable customers, ensuring authentication methods are suitable for the elderly, those with disabilities, or those with limited digital skills.
This mandate ensures that authentication processes are accessible and user-friendly for all consumers, regardless of technical knowledge or physical abilities.
By implementing SCA in an inclusive manner, financial institutions and service providers can protect customers from fraud and unauthorized transactions while promoting accessibility and fairness for all.
Access to Payment Systems and Account Information
The PSR will bring changes to the Open Banking framework, removing obstacles and increasing uptime for banking and financial services.
Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will gain the ability to build custom interfaces, fostering a more transparent and efficient payment ecosystem.
Get Ready for Changes
Looking forward, the forthcoming PSD3 and PSR regulations aim to provide EU consumers with safer and more reliable electronic payment options.
Although the implementation timeline is not finalized, the final versions are expected by late 2024, with an effective date around 2026. Merchants should stay updated on these regulatory developments to ensure optimal preparedness.
PSD3 will significantly reshape Europe’s payment landscape, prioritizing security, innovation, and consumer protection. Therefore, merchants should view these changes as opportunities to enhance the payment experience in the ever-evolving digital world.
By staying informed and adapting to these changes, merchants can position themselves for success in the future of ecommerce.