The Payment Service Directive (PSD) was introduced by the European Union as a means to regulate and secure the online payment landscape taking root in Europe. Its primary goal is to encourage faster online payments, identify and respond to emerging fraudulent activities, and improve security for both businesses and consumers. Its successor, the PSD2, was built to expand this directive. The PSD2 focuses on improving the efficiency of online payments in their speed and security, leveling the playing field for new providers, and doubling down on the protection of customers and business from fraud. The need for a Strong Customer Authentication was also identified with the PSD2, which is being refined and enhanced with the introduction of the PSD3. Now, with the volume of online payments growing significantly in the EU, the risks have evolved alongside this growth. This means that the need to protect businesses and customers engaged in these payments has only become more substantial. Building upon the groundwork laid by PSD2, the latest version of the Directive, the PSD3, was introduced in June 2023.
What is PSD3?
The PSD3 is the modernised revision of the Directive, responding to the current and evolving risks of fraud in the world of growing online payments. It encompasses all players of the payment ecosystem - the consumers, merchants, and banks and non-bank payment service providers by tightening the rules around consumer rights protection, inviting innovation and competition, and enforcing standardised regulations for implementing the Directive.
This version of the Directive is still a draft and yet to be enforced across the EU. However, the impact it aims to create for consumers, their accessibility to and control over their data, the guidelines set down regarding handling of this data for banks and service providers, and elimination of inconsistency in its adoption makes it a pivotal step in the direction of a healthier payment landscape.
It continues to build on the principles of the PSD2, but also recognises the accelerated use of payments in recent years, particularly against a post-COVID background. This means that the PSD3 must also address any inconsistencies in the PSD2 and expand its scope significantly for its implementation and impact to not only be wide-spread, but also comprehensive and regulated. As a step in this direction, the EU has also introduced a Payment Services Regulation (PSR) in association with the PSD3.
What is Payment Services Regulation (PSR)?
While the PSD3 is a directive, the PSR enforces regulatory guidelines for handling consumer concerns like payment disputes, unauthorised transactions, and of course, fraud. As a regulation, the PSR is now expected to be followed by all EU members and becomes a key tool in furthering the EU’s goal of making online payments faster, secure, and more transparent.
Its aim to create a secure payments ecosystem that addresses fraud risks and strengthens consumer rights is reflected in the six key objectives of this proposal by the European Commission:
- Combat and mitigate payment fraud
- Improve customer rights
- Further levelling the playing field between banks and non-banks
- Improve the functioning of open banking
- Improve the availability of cash in shops and via ATMs
- Strengthen harmonisation and enforcement
Key updates to PSD3
1. Improving consumer protection:
The PSD3 emphasises the need for improved consumer rights by establishing stricter guidelines for handling consumer data. These include greater transparency regarding account statements and ATM charges, mandatory IBAN checks for payers to ascertain the payee name, and improved refund guidelines.
2. Expanding Open Banking:
While PSD2 laid the foundation for Open Banking, PSD3 is taking another step toward consumer security. To achieve this, it aims to introduce improved APIs, provide consumers more control over their data through user dashboards, and enable data sharing between banks and third parties to ensure consumers receive improved and safer financial services.
3. Improving Accessibility:
Making secure payments accessible to consumers is a key principle in the PSD3. This requires including vulnerable consumers like the elderly, low-income individuals, or individuals with disabilities and making payments adaptable to them. PSD3 encourages the development of user-friendly interfaces and authentication mechanisms that are inclusive and intuitive for all consumers.
4. Consistency across EU:
PSD3 aims to standardise payment security practices across all members of the EU. This turns key payment rules into directly applicable regulations that are enforceable by authorities to reduce inconsistencies and ensure uniform implementation of regulations. It also includes tightening of regulations and application of stricter penalties in cases of fraud or noncompliance.
5. Stronger Customer Authentication:
In line with the goal to consistently improve payment security, PSD3 focuses on Strong Customer Authentication. It requires businesses to share consumer data like user behaviour, location, or device details, with banks for faster payment approvals. It adds another layer of security to online payments by enforcing stricter rules for payment services and card companies to follow to prevent fraud.
PSD3's Impact on the Payments Industry
A greater emphasis on Strong Customer Authentication (SCA) is at the heart of the PSD3’s effort to strengthen online payment security. While the SCA was introduced under the PSD2, it is broader in its scope, application, and impact as per PSD3 regulations.
Let’s take a closer look at the function of the SCA under PSD3:
1. Harmonising SCA interpretations:
SCA implementation was both unclear and uneven across Europe due to varied interpretations of the regulation. PSD3 recognised the need to eliminate these inconsistencies, and introduced guidelines for banks and payment providers to implement SCA standards uniformly. The SCA offers unified APIs that can be seamlessly integrated for businesses operating in different parts of the EU, which in turn is expected to create a consistent experience, with greater accountability and transparency as all involved parties are working under the same set of regulations.
2. Clearer SCA exemptions:
SCA exemptions were created to reduce friction. However, they also resulted in increased complexity for merchants trying to implement them depending on their type of business or the geographical location in which they operate. PSD3 standardises the exemptions, helping consumers with a seamless transaction experience and preventing friction at the time of payment. These include:
a. Low-Value Transactions: Increasing the limit for low-value transactions improves consumer experience as they can avoid additional authentication thereby completing a transaction faster.
b. Expanded List of Payees: PSD3 gives consumers greater flexibility and control over their payees leading to smoother transactions with trusted businesses.
c. Addressing Evolving Fraud: SCA is refined to identify and address threats in real-time conditions like regular transaction patterns as well as emerging technological risks like behavioural spoofing.
3. Enhanced Authentication:
While responding to evolving threats, the PSD3 also caters to emerging technologies that can improve consumer experience. This includes allowing for authentication across multiple devices, as well as improved scope for biometric standards, making payments seamless and without friction.
Whom does PSD3 affect?
The PSD3 takes into consideration implications for all players in the payments ecosystem:
Consumers: PSD3’s commitment to providing consumers with a secure, faster, and smoother payment experience is delivered through improved biometric authentication, reduced limitations for low-risk transactions, and stronger consumer rights against fraudulent transactions.
Merchants: The uniformity in PSD3 implementation across Europe will help merchants reduce friction during cross-border payments and significantly improve the checkout experience for their consumers.
Banks and Payment Service Providers: Compliance with regulatory requirements is made easier for banks and payment services providers with the integration of unified APIs, and better fraud detection mechanisms. This in turn enhances the implementation of a digital payment landscape, building public trust in the directive and its principles.
Penalties for noncompliance with the Directive
While the PSD3 addresses the gaps in PSD2, banks and payment services providers will have to also assess the gaps in being regulation-compliant. It is crucial that all players start taking stock of their regulatory practices and identify areas of improvement in line with the PSD3.
Failure to comply with the Directive’s regulations can result in penalties like fines or license removal. These, along with potential reputation damage, are repercussions that can be avoided by banks and service providers by assuming responsibility for their roles in the security framework set down by the PSD3.
Conclusion
Ultimately, the PSD3 is a pivotal step in modernising the PSD2, making the payments landscape in Europe more secure and fraud-resistant. It takes into account the gaps of its predecessors, the growth of online payments in the EU, and the evolution of fraud risks that threaten its goal of a more secure, unified, and accessible payment ecosystem.
With help from the Payment Services Regulation, the PSD3 aims to promote Open Banking, improve SCA, and enable clear, standardised guidelines for implementation of the Directive’s principles. The expected impact is the creation and enhancement of a safer and frictionless payment experience for consumers, merchants, and payment service providers alike that builds and inspires trust, innovation, and security in online payments for all.
