Everything you need to know about PSD3

Introducing the latest updates in financial regulations: PSD3, the newest version of the Payment Services Directive. This update is all about enhancing security measures and making sure merchants and their customers are better protected in the payments space. In this blog, we'll break down the main differences between PSD3 and its predecessor, PSD2, and run through why these changes help your business.

What’s in this article?

• What is PSD3?
• When does PSD3 come into effect?
• New SCA requirements
• Spoofing prevention
• Advancements in open banking

What is PSD3?

PSD3, the third iteration of the Payment Services Directive from the European Commission, represents an updated version of its predecessor, PSD2. In simple terms, it’s just an updated set of rules designed to safeguard consumers, merchants, payment providers and banks.

When does PSD3 come into effect?

Predicted to be finalised by 2024 and implemented in 2026, this latest directive places a spotlight on specific areas, such as Strong Customer Authentication (SCA), 'spoofing' prevention and enhancements to the open banking framework. PSD3 focuses on topics that weren’t paid enough attention in PSD2 and addresses emerging technologies that have gained popularity in recent years. We’ve highlighted the main changes that you’ll want to hear about:

New SCA requirements

One improvement brought by previous directives is, without a doubt, the emphasis on SCA requirements. This security feature requires customers to provide at least two pieces of identifying information during the payment process. The proof is in the pudding, and regions enforcing SCA have seen a substantial decrease in card-not-present (CNP) fraud rates.

However, the implementation of SCA has raised valid concerns about increased friction at the checkout, potentially creating a negative experience for customers. Recognising these issues, PSD3 introduces new requirements to address and improve upon the existing framework:

• Exemptions: PSD3 provides more clarity on when certain transactions may be exempt from SCA, including subscriptions (after the first payment) and MOTO transactions, striking a better balance between security and user convenience.
• Approval rates: Businesses will be required to share more data with issuing banks such as user location transaction history and device IP, to become more accurate when declining or approving transactions.
• More SCA methods: PSD3 requires payment service providers to offer SCA methods that don’t just rely on one technology, aka smartphones. This inclusivity ensures accessibility for all users!

Spoofing prevention

Spoofing is a pretty deceptive technique in which fraudsters trick customers into consenting transactions by mimicking trustworthy sources like a bank’s email address, phone number or website. The European Commission has acknowledged the need for additional regulations to effectively prevent and detect this type of fraud:

• IBAN and name matching: To enhance security, ALL credit transfers will now require an IBAN/name check (also known as Confirmation of Payee). This means banks will have to verify that the account name matches the IBAN linked to the customer’s name, adding an extra layer of authentication.
• Liability shift: In the case spoofing occurs, the liability of this authorised fraudulent transaction will reverse from users and payment service providers to the issuers.
• Transaction monitoring: Measures to monitor transactions will be boosted, with a specific focus on identifying unusual and potentially fraudulent payment activities.
• Legal framework: A legal framework is being established for payment service providers to share information on fraud, including data related to ongoing scams.

Advancements in open banking

Open banking, a system enabling secure sharing of a customer's financial information among banks and financial institutions, has shown its usefulness in revolutionising various financial tasks, including payments and investments. With its countless benefits, it comes as no surprise that its popularity is soaring, boasting eight million users in the UK by November 2023.

In an effort to enhance the functionality of data sharing between banks and third parties, PSD3 is introducing several changes:

• Application programming interface (APIs): The goal is to improve the adoption of open banking by improving APIs’ performance as well as removing obstacles third-party providers have accessing customer bank accounts.
• Consumer dashboard tool: Banks and payment account providers will be required to offer a consumer dashboard tool. This tool provides customers with more visibility into companies with access to their data.

It’s important not to forget that the UK is no longer required to follow PSD3, however it’s likely it’ll alter its own rules in a very similar way. So, it's crucial that you stay informed about these upcoming changes for compliance reasons. But let's not lose sight of the main point – in this evolving payment landscape, PSD3 aims to provide protection and convenience for all merchants navigating the shifts in this complex industry. Understanding and embracing PSD3 will be essential in helping your business adapt and thrive in the changing digital world.