PSD3 and the Payment Services Regulation (PSR) are the most significant overhaul of European payments regulation since PSD2 came into effect in 2018. On 27 November 2025, the European Parliament and the Council reached provisional political agreement on both texts. On 23 April 2026, COREPER endorsed the trilogue agreement and the final compromise texts were published. The European Parliament’s plenary vote is expected in late May, with publication in the EU Official Journal anticipated for June or July 2026 (potentially slipping to September). The PSR will enter into force 20 days after publication and apply EU-wide approximately 21 months later, with PSD3 requiring national transposition over the same window.
For European merchants, this is the regulatory backbone that will govern how online card payments are authenticated, how Strong Customer Authentication exemptions apply, how cross-border refunds work, how open banking APIs perform, and how fraud liability is allocated for the rest of the decade. The merchants who prepare now will adapt their stacks cleanly during the transition. The merchants who treat 2028 as the deadline will discover in 2027 that the operational, contractual, and technical work required is materially larger than they had assumed.
This guide explains what PSD3 and PSR actually are, how they differ from PSD2, the timeline as it stands in mid-2026, the specific changes that affect merchants directly, and what enterprise payment teams should be doing now to prepare.
The Third Payment Services Directive (PSD3) is an EU Directive that updates the authorisation, supervision, and licensing framework for payment service providers and e-money institutions across the European Economic Area, requiring national transposition by each Member State.
The Payment Services Regulation (PSR) is a directly applicable EU Regulation that governs conduct of business rules for payment services, including Strong Customer Authentication, fraud liability, open banking standards, transparency obligations, and consumer protection.
Together, they replace PSD2 and the existing E-Money Directive (EMD2), creating a single supervisory and regulatory framework for European payments. The split between a directive and a regulation is itself a major structural change: where PSD2 was transposed unevenly across Member States (creating fragmentation that merchants had to navigate country by country), the PSR will apply directly and uniformly across all 27 EU members without national interpretation.
PSD2 was designed in the mid-2010s and came into force at a time when the payments market looked materially different. Since 2018, the European payments market has transformed: electronic payments grew from €184 trillion in 2017 to €240 trillion by 2021, open banking matured into a meaningful infrastructure layer, instant payment rails became standard, mobile wallets reached majority adoption in many markets, and fraud sophistication outpaced the controls available under the old framework.
The European Commission proposed PSD3 and PSR in June 2023 to address gaps and weaknesses that had become visible across the PSD2 implementation:
PSD3 and PSR address each of these areas. The two instruments together represent what most legal commentators describe as a rebalancing of the European payments value chain rather than an incremental update.
The single most important structural change in the new framework is that what was one directive under PSD2 is now two instruments under the new regime. The split is deliberate.
PSD3 (the Directive) covers areas where Member States legitimately retain some discretion:
Member States must transpose PSD3 into national law within the implementation window. This allows for some local interpretation while maintaining a harmonised baseline.
PSR (the Regulation) covers areas where uniformity matters most for the single market:
The PSR applies directly across all Member States from the day it enters into force. There is no national transposition, no opportunity for local interpretation, and no scope for divergent implementation. For merchants operating cross-border in Europe, this is the single largest practical benefit of the new framework.
The differences between the new framework and PSD2 fall into seven major areas:
The E-Money Directive (Directive 2009/110/EC) is repealed entirely. E-money institutions become a sub-category of payment institutions under PSD3, with a single licensing regime, harmonised governance requirements, and consistent supervisory expectations. Existing e-money institutions will need to apply for re-authorisation under PSD3 during the transition period.
For merchants, this primarily affects how their PSP partners are structured and supervised, but it also simplifies the picture when evaluating new providers: there is one regulatory category to assess rather than two.
For all credit transfers (not just instant payments), PSPs must verify that the payee name provided by the payer matches the name registered against the destination IBAN. Where there is a discrepancy, the PSP must issue an early warning to the payer before the transfer completes.
This is a major operational change. The mechanism is already in place under the Instant Payments Regulation for SEPA instant transfers, but PSR extends it to all credit transfers. For merchants, the practical impact is on B2B payments, refund processing, and any flow involving bank-to-bank transfers.
PSR significantly strengthens the obligations on PSPs to prevent fraud and reimburse victims. Key changes:
For merchants, this changes the fraud risk allocation in subtle but important ways. PSPs will have stronger incentives to share fraud signals, which can benefit legitimate merchants whose transactions get fewer false declines. But the broader reimbursement framework also raises the bar on merchant-side fraud controls, since merchants whose flows facilitate impersonation or push-payment fraud will face greater pressure from their PSPs.
For a deeper view of fraud prevention strategy, see Gr4vy’s guide on payment fraud prevention strategies for 2026.
PSR retains the core SCA framework from PSD2 but clarifies and expands it. The list of actions that trigger SCA is expressly expanded to include:
The core SCA exemptions (Low Value Transaction, Merchant-Initiated Transaction, Transaction Risk Analysis, Trusted Beneficiary, Secure Corporate Payment) are retained, with the European Banking Authority continuing to develop the relevant regulatory technical standards. The framework is recognisable to anyone familiar with PSD2, but the boundaries are sharper and the application is more consistent.
For merchants, the practical impact is that the SCA exemption strategy that has worked under PSD2 will continue to work under PSR, with the additional clarity making cross-border consistency easier to achieve. Our guide on 3D Secure 2 covers the technical mechanism that satisfies most SCA obligations.
PSR significantly tightens the rules around open banking API performance and access. Key changes:
For merchants offering pay-by-bank or A2A payment options, the operational reliability of open banking improves substantially. For merchants competing with banks for customer payment relationships, the regulatory playing field tilts further toward open access.
Under PSD2, technical service providers (TSPs) operating behind the scenes for PSPs were largely outside the supervisory perimeter. PSD3 brings them in. Outsourcing arrangements with TSPs that provide SCA, fraud screening, or other critical services must be governed by detailed written agreements covering scope, roles, service levels, audit rights, and exit plans. The European Banking Authority will set further standards for these arrangements.
This change affects merchants indirectly through their PSP relationships. PSPs will require more from their TSP partners, and the operational standards merchants should expect from their payments infrastructure will rise accordingly.
PSR strengthens consumer-facing transparency requirements:
For merchants processing cross-border transactions, the disclosure obligations affect how prices are presented and how customers are informed of conversion costs.
| Dimension | PSD2 (current) | PSD3 + PSR (incoming) |
|---|---|---|
| Legal structure | Single directive, transposed nationally | Directive (PSD3) plus directly-applicable Regulation (PSR) |
| Harmonisation across Member States | Inconsistent | Uniform (for PSR conduct rules) |
| Payment and e-money licensing | Separate regimes | Single regime under PSD3 |
| SCA framework | Established | Retained, expanded, clarified |
| IBAN-name verification | Optional for non-instant transfers | Mandatory for all credit transfers |
| Fraud reimbursement | Limited, uneven by Member State | Expanded, mandatory for impersonation fraud |
| Open banking API performance | Loosely defined | Strictly defined, regulator-enforced |
| Technical service provider oversight | Limited | Brought into scope |
| AISP passporting | National registration | EU-wide single registration |
| Cross-border transparency | Partial | Comprehensive |
| Penalties for non-compliance | Member-State discretion | Harmonised, with maximum thresholds |
The pattern across every row is the same: the new framework standardises what was inconsistent, strengthens what was weak, and clarifies what was ambiguous. For merchants operating in a single Member State, the changes are meaningful but manageable. For merchants operating cross-border, the harmonisation benefits are substantial.
The legislative process is now in its final stages. The key dates as of mid-2026:
| Date | Stage | What it means |
|---|---|---|
| 28 June 2023 | European Commission publishes PSD3 and PSR proposals | Legislative process begins |
| November 2025 | Trilogue political agreement reached | Substantive content settled |
| 22 April 2026 | COREPER endorses trilogue texts | Council preparatory approval |
| 23 April 2026 | Final compromise texts published | Text available for review |
| 5 May 2026 | ECON Committee vote (Parliament) | Committee-stage approval |
| Late May 2026 | Parliament plenary vote | Final Parliament approval |
| June-September 2026 | Legal-linguistic review | Final wording fixed across all official languages |
| Q2/Q3 2026 | Publication in EU Official Journal | The starting point for all subsequent deadlines |
| 20 days after publication | PSR enters into force | The regulation is legally operational |
| 21 months after publication | PSR fully applicable | Full compliance required (Q1-Q4 2028) |
| 18-21 months after publication | PSD3 national transposition deadline | Member States must have transposed PSD3 into national law |
The preparation window is real but not generous. For a merchant whose payment stack involves multiple Member States, multiple PSPs, and complex authentication flows, 21 months is a meaningful project timeline but not a comfortable one.
The merchant-facing implications of PSD3 and PSR cluster into six areas:
New trigger events for SCA include token creation and replacement, spending limit changes, and contact detail updates. Merchants whose flows touch any of these (subscription sign-up, payment method updates, account changes) need to ensure their authentication infrastructure handles the new triggers correctly.
For most enterprise merchants already operating in SCA-regulated markets, this is an incremental adjustment rather than a fundamental change. The infrastructure that handles 3DS2 authentication on initial CITs typically handles the new triggers cleanly.
The existing SCA exemptions (LVT, MIT, TRA, Trusted Beneficiary, Secure Corporate Payment) are retained. The European Banking Authority continues to develop the technical standards. The practical implication: SCA exemption strategy under PSR will be recognisable to anyone running it well under PSD2, with the additional benefit of more consistent application across Member States.
The MIT exemption is particularly relevant for subscription, installment, and stored-credential merchants. For the full framework, see Gr4vy’s guide on merchant-initiated and customer-initiated transactions.
Mandatory reimbursement obligations on PSPs for impersonation fraud and certain other categories raise the bar on PSP fraud controls. For merchants, this generally translates into stronger fraud screening by their PSP partners, with downstream effects on false decline rates and false approval rates.
Merchants whose flows are vulnerable to impersonation fraud or push-payment fraud (B2B invoicing, high-value cross-border, certain marketplace patterns) should expect more scrutiny from PSP partners and may need to strengthen their own controls to maintain commercial terms.
The IBAN-name verification mandate affects refund flows that use credit transfers. Refunds issued to bank accounts (rather than back to the original card) will need to clear the same name-IBAN matching that all credit transfers do, which adds verification steps but also reduces fraud exposure.
For merchants with high refund volumes or complex refund workflows, this is one of the operationally trickier changes to plan for.
Because PSR applies directly across all Member States, merchants operating cross-border benefit from consistent rules without the national variation that PSD2 produced. For merchants whose European volume is concentrated in two or three countries, the benefit is moderate. For merchants operating across 10+ European markets, the consistency reduces compliance overhead meaningfully.
For more on the cross-border picture, see Gr4vy’s guide on recurring payments in Europe.
The commercial agent exemption (the rule that allows certain marketplaces and platforms to facilitate payments without holding a payment services licence) is being clarified, with the European Banking Authority developing guidelines for consistent national application. The exemption is retained, but its scope and conditions are being refined.
For platforms and marketplaces that currently rely on the commercial agent exemption, the practical impact will not be clear until the final text is published and the EBA guidance is issued. Some platforms may find their current structures need adjustment; others will continue to operate as they do today.
For merchants operating with multiple PSPs, PSD3 and PSR have specific implications that single-PSP analyses tend to miss.
Consistency across PSPs becomes legally required. Under PSD2, different PSPs in different Member States could implement the same regulation slightly differently. The PSR’s direct applicability means all PSPs operating in any EU Member State must apply the same conduct rules. For multi-PSP merchants, this means SCA application, fraud handling, refund processing, and authentication flows will be more consistent across providers than they have been historically.
The integration burden shifts to the orchestration layer. Each new SCA trigger, fraud handling requirement, and IBAN verification rule has to be implemented somewhere in the payment stack. Merchants whose stack is heavily PSP-specific will need to coordinate changes across each PSP integration. Merchants whose stack runs through an orchestration platform can implement changes once and apply them across every connected PSP.
Authentication data portability matters more. With SCA triggers expanding to cover token creation and replacement, the authentication context attached to a stored credential becomes more valuable. If that context is locked inside a single PSP’s records, switching PSPs requires re-establishing authentication relationships. If the context is maintained at the orchestration or merchant layer, it travels across PSP boundaries cleanly. For the broader pattern, see Gr4vy’s analysis of PSP tokens vs network tokens.
Fraud signal sharing benefits compounding scale. The expanded provisions for fraud-related data sharing between PSPs benefit merchants whose orchestration platform can aggregate signals across multiple PSP relationships and apply them consistently. Single-PSP merchants get the benefit of one PSP’s signal pool; orchestration-based merchants get the benefit of multiple.
Routing decisions can target the strongest fraud-control PSP for each transaction. Under the expanded liability framework, PSPs with stronger fraud controls become more attractive routing destinations for high-risk transactions. Multi-PSP merchants with intelligent routing capability can direct transactions to the PSP best positioned to handle each one. For more, see Gr4vy’s guide on intelligent payment routing.
For merchants beginning to plan their PSD3/PSR readiness work, the sequence below captures the order most likely to deliver results without rushed compliance work in 2027 and 2028.
Months 1-3 (mid-to-late 2026): Audit and inventory. Map every payment flow that touches an EU-located customer, PSP, or acquirer. Document current SCA application, exemption use, fraud screening, and IBAN handling. Identify which PSP integrations would require changes under the new triggers and obligations. This audit becomes the baseline against which all subsequent work is measured.
Months 3-6 (late 2026 – early 2027): Gap analysis and partner alignment. Work through each gap identified in the audit. Engage PSPs, acquirers, and orchestration partners to understand their roadmaps for PSD3/PSR compliance. Identify which gaps the partners will close on the merchant’s behalf and which require merchant-side changes.
Months 6-12 (2027): Technical implementation. Build or configure the changes identified in the gap analysis. SCA trigger expansion, IBAN verification flows, refund workflow updates, and fraud screening upgrades all typically fall into this window. For merchants using an orchestration platform, this work is concentrated at the orchestration layer rather than spread across each PSP integration.
Months 12-18 (mid-to-late 2027): Testing and validation. End-to-end testing of the updated flows in production-like environments. Conformance testing with PSP partners. Operational team training on the new procedures (especially fraud reimbursement handling and refund verification).
Months 18-21 (2028): Production cutover and stabilisation. The PSR becomes fully applicable in this window. Live operation under the new rules with monitoring, incident response, and tuning as edge cases emerge.
Merchants who start the audit in Q3 2026 will be comfortable. Merchants who wait until late 2027 will be cutting it close.
A handful of patterns separate well-prepared merchants from those who struggle in the transition:
Treating it as a PSP problem rather than a merchant problem. PSPs handle a substantial share of the compliance work, but key decisions (SCA exemption strategy, fraud control posture, refund workflow design) belong to the merchant. Outsourcing the question entirely to the PSP produces inconsistent results across multi-PSP setups and limits the merchant’s strategic optionality.
Waiting for the final text before starting work. The final published text will differ from the April 2026 compromise text in minor ways, but the substantive content is now settled. Merchants who wait until the OJ publication to begin work compress their preparation window by months.
Ignoring the cross-border consistency benefit. Many merchants have built complex country-specific workarounds for PSD2 implementation differences across Member States. Under PSR, these workarounds become unnecessary. Audit them now so they can be retired during the transition rather than maintained indefinitely.
Underestimating the IBAN verification scope. The mandatory IBAN-name matching applies to all credit transfers across the board, including bank flows that previously did not require such verification. Merchants with non-card payment flows (refunds via bank transfer, B2B settlement, marketplace payouts) need to plan for verification steps that did not exist under PSD2.
Skipping the fraud control review. The expanded reimbursement obligations on PSPs will translate into PSP-side scrutiny of merchant fraud controls. Merchants whose fraud posture has not been audited recently should expect more questions from PSP partners as the new rules approach.
Failing to align internal teams. Compliance, security, payments engineering, finance, and customer support all touch PSD3/PSR-affected flows. Without explicit coordination, individual teams make assumptions that conflict with each other’s plans.
PSD3 (the Third Payment Services Directive) is an EU Directive that updates the authorisation, supervision, and licensing framework for payment service providers and e-money institutions across the EU. It replaces parts of PSD2 and the E-Money Directive (EMD2). PSD3 requires national transposition by each Member State, with a transposition window of 18-21 months after publication.
The Payment Services Regulation (PSR) is a directly applicable EU Regulation that governs conduct of business rules for payment services, including SCA, fraud liability, open banking, and consumer transparency. Unlike a directive, the PSR applies uniformly across all EU Member States without national transposition, which is its single most important structural feature.
The texts are expected to be published in the EU Official Journal in June or July 2026 (potentially slipping to September). The PSR enters into force 20 days after publication and applies fully approximately 21 months later (Q1-Q4 2028). PSD3 requires national transposition over a similar window.
PSD3 is a Directive covering authorisation, supervision, and licensing rules where Member States retain some discretion in transposition. PSR is a Regulation covering conduct of business rules where uniformity matters most for the single market. The split allows for local flexibility on supervisory matters while ensuring consistent application of customer-facing rules across all Member States.
Yes. PSD3 and PSR together repeal and replace PSD2 and EMD2. The frameworks that have governed European payments since 2018 are being superseded by the new package.
PSR (the regulation part of the package) retains the core SCA framework from PSD2 and refines it. The list of actions that trigger SCA is expanded to include token creation and replacement, spending limit changes, and contact detail updates. The core exemptions (LVT, MIT, TRA, Trusted Beneficiary, Secure Corporate Payment) are retained, with the EBA continuing to develop the technical standards.
Yes, indirectly. 3DS2 is the dominant technical mechanism for satisfying SCA on card-not-present transactions, and PSD3/PSR refine the SCA framework that 3DS2 supports. Merchants should expect their 3DS2 implementation to handle the expanded SCA triggers (new token creation, spending limit changes, etc.) once the new rules apply. The protocol itself is not changing.
PSR applies directly across all Member States, eliminating the cross-Member-State variation that PSD2 produced. For merchants operating in multiple EU countries, the rules will be consistent rather than country-specific. Mandatory IBAN-name verification on all credit transfers (including cross-border) adds a verification step but also reduces fraud exposure on bank-to-bank flows.
Under PSR, PSPs must verify that the payee name provided by the payer matches the name registered against the destination IBAN for all credit transfers. Where there is a discrepancy, the PSP must warn the payer before the transfer completes. This is already mandatory for SEPA instant transfers under the Instant Payments Regulation; PSR extends it to all credit transfers.
The E-Money Directive (EMD2) is repealed. E-money institutions become a sub-category of payment institutions under PSD3, with a single licensing regime. Existing e-money institutions must apply for re-authorisation under PSD3 during the transition period.
Yes, significantly. PSR tightens the requirements for open banking API performance and uptime, requires national regulators to act “without delay” against poorly-performing interfaces, and curtails reliance on fallback interfaces. AISPs gain passporting rights, enabling cross-border service provision with a single home-state registration. Customer dashboards for managing open banking permissions become mandatory.
Not directly. The UK is no longer in the EU and is not bound by PSD3 or PSR. However, UK merchants serving EU customers will need to comply with PSD3/PSR for those transactions, and UK PSPs operating in the EU under passporting will need to align their EU operations with the new framework. The UK has its own ongoing review of payment services regulation, with some divergence from the EU framework expected.
PSR expands fraud reimbursement obligations on PSPs, particularly for impersonation fraud and certain other categories. This generally translates into stronger fraud screening by PSPs (with downstream effects on false decline rates) rather than direct changes to merchant fraud liability. However, merchants whose flows facilitate impersonation or push-payment fraud may face stronger scrutiny from PSP partners.
The practical preparation work falls into five phases over roughly 18 months: audit current flows against the new rules, conduct gap analysis with PSPs and orchestration partners, implement technical changes (SCA triggers, IBAN verification, refund workflows), test end-to-end before the deadline, and execute the production cutover when PSR becomes applicable. Merchants who start the audit in 2026 will be comfortable; those who wait until 2027 will be working under time pressure.
PSD3 and PSR represent the most significant regulatory shift in European payments since PSD2 came into effect. The headline changes (single regulatory framework, mandatory IBAN-name matching, expanded fraud liability, stronger open banking) attract the most attention, but the structural shift to a directly-applicable regulation is what will produce the largest practical benefits for merchants operating cross-border in Europe.
For most enterprise merchants, the preparation work is substantial but not unprecedented. The infrastructure that was built for PSD2 compliance is the starting point. The SCA framework that handled the 2019-2021 transition handles most of the PSR’s SCA changes cleanly. The fraud controls that have evolved since PSD2 came into effect are the foundation for the expanded reimbursement framework. The work involves adjusting, refining, and harmonising existing systems instead of rebuilding from scratch.
The merchants who emerge from the transition in the strongest position will share three characteristics. Their payment infrastructure will be flexible enough to absorb the new triggers, obligations, and verification steps without rebuilding. Their PSP and acquirer relationships will be aligned with the new framework instead of being locked into PSD2-era assumptions. And their cross-border operations will benefit from the harmonisation that PSR delivers, with the country-specific workarounds of the PSD2 era retired during the transition.
Gr4vy’s cloud-native payment orchestration platform handles PSD3/PSR compliance work centrally across more than 400 connected PSPs and payment methods. SCA triggers, exemption application, IBAN verification, and fraud control coordination all operate at the orchestration layer instead of being spread across each PSP integration. For merchants planning their preparation roadmap, this concentrates the implementation work in one place across every provider relationship.
If you’re evaluating your current PSD2 stack against the new requirements or want to understand how the transition could be unified across your existing PSP relationships, contact our team for a stack review and preparation plan tailored to your current architecture.
3D Secure 2 (3DS2) is the authentication protocol that decides whether most of your card-not-present…
Integration gives merchants direct access to global acquiring through orchestration, with control over routing, authentication,…
Every card transaction is classified by the card networks as either customer-initiated (CIT) or merchant-initiated…
Peak moments don’t break systems by accident. They expose the limits that were always there.…
Mastercard is changing how transactions are tracked across the payment lifecycle. The Transaction Link Identifier…
Last updated May 21st 2026 Around half of online merchants now use more than one…