Unlocking the Future of Payments: Preparing for PSD3

The most valuable sector in financial services is preparing to adapt to another round of complex European regulation—again. Later this year, the EU is expected to publish the full text of PSD3, with member states likely required to transpose the rules into national law within 18 months of publication.

As with most regulations, PSD3 presents a significant operational challenge for payments—a fast-moving, highly innovative industry that generates $2.5 trillion in revenue from $2 quadrillion in value flows and 3.6 trillion transactions globally, according to McKinsey’s Global Payments Report.

Compliance will require sustained effort across the industry. While the full penalty framework has not yet been published, firms that fail to meet the new requirements are likely to face substantial financial, reputational, and operational consequences. For now, payment firms have some time on their side—but firm deadlines will soon be established. To help you prepare, we’ve compiled some of the most important takeaways about this potentially industry-shaping directive.

PSD3 is the successor to the Second Payment Services Directive (PSD2), which harmonized payment rules across Europe, introduced Strong Customer Authentication (SCA), and mandated open banking—requiring banks to provide regulated third parties with access to customer account data to increase competition.

The new directive consolidates previously separate legal regimes for Payment Institutions (PIs) and Electronic Money Institutions (EMIs) into a single authorization framework. It forms part of a broader legislative package alongside the Payment Services Regulation (PSR), which will apply directly across all 27 EU member states without needing to be transposed into national law.

Under PSD2, differences between PI and EMI regimes created complexity, uneven supervision, and opportunities for regulatory arbitrage. By merging the two frameworks, the EU aims to simplify oversight and align prudential and safeguarding requirements, creating a more consistent supervisory environment across the single market.

When the European Council and Parliament reached a provisional political agreement on PSD3 in November 2025, Danish Business Minister Morten Bødskov described the directive as “a major step in the fight against payment fraud in the EU.”

PSD3 will strengthen fraud protections by tightening and clarifying Strong Customer Authentication (SCA) and redistributing liability. Once PSD3 enters into force, payment service providers (PSPs) will be liable if they fail to verify payee details. Payment schemes and technical providers may also be held responsible when SCA is not properly applied, while issuers will face liability for spoofing fraud.

The directive confirms that SCA can be delegated to third parties and clarifies that authentication must be applied when cards are added to digital wallets.

It also requires richer contextual data sharing—including device, location, transaction timing, and behavioral signals—to improve fraud detection and authorization accuracy. Mandatory Confirmation of Payee will verify IBANs and account holder names during credit transfers, and a clear GDPR-compliant legal basis will be established for fraud intelligence sharing between PSPs.

For payment companies, fraud management is set to become a core regulatory exposure. Firms will need to invest in real-time verification infrastructure, stronger behavioral analytics, and tighter third-party oversight. Existing contractual arrangements between schemes, PSPs, and service providers are likely to require review in light of the revised liability model.

PSD3 updates the authorization and supervision framework for firms operating across multiple EU jurisdictions, clarifying supervisory responsibilities and reducing ambiguity around passporting.

The directive also tightens the commercial agent exemption, which has allowed some marketplaces and platforms to provide payment-related services without full authorization. While the final scope remains under negotiation, PSD3 is likely to include narrower exemptions and potentially expanded licensing requirements for certain platform models.

For cross-border operators, supervisory scrutiny will increase, and opportunities to rely on structural regulatory differences between member states will be reduced. Platform-based firms may need to reassess whether existing arrangements remain viable under the revised regulatory perimeter.

PSD3 is closely aligned with the Digital Operational Resilience Act (DORA), which strengthens operational resilience and ICT risk management standards.

Under the new rules, SCA must be accessible to users with limited digital skills or disabilities. Additionally, SCA should not rely solely on smartphones—a measure intended to reduce digital exclusion. Refund rights are expected to expand for victims of unauthorized transactions and certain types of fraud.

As firms work toward compliance, technology stacks will need to support inclusive authentication journeys without compromising security. Expanded refund rights may increase dispute volumes and operational costs, requiring stronger case management and clearer customer communication processes.

Full clarity will come with the publication of the directive’s final text and the start of the 18-month compliance countdown. As the PSR is directly applicable EU law, it will take effect upon publication in the Official Journal without the need for national implementation. As such, some requirements could be enforced within weeks rather than years.

Although details of the directive may still evolve, one thing is clear: PSD3 is not a minor update. It represents a structural recalibration of Europe’s payments framework—requiring close attention from all payments stakeholders.

Whatever stage of preparation you are in, we can help. Critical Software brings deep experience in delivering secure, resilient systems in high-assurance sectors including space, transportation, and defense. Get in touch to learn how we can support PSD3 compliance and strengthen operational resilience in a rapidly changing regulatory landscape.