PSD3 implementation for merchants: What you need to do & what you need to know

The Payment Services Directive 2 (PSD2) was a game-changer in the payments industry. It aimed to improve security measures in a sector overburdened by fraud and to make payments easier and faster. Yet, despite its benefits, it failed to address many of the complexities of the payments industry, choosing arbitrary benchmarks and, importantly for merchants, pushing down fraud in one channel for it to only move to others.

In December 2025, the European Parliament and Council agreed to update PSD2, paving the way for the next iteration of the Payment Services Directive: PSD3.

But with 72% of merchants saying they are “somewhat” or “very” concerned that PSD3 implementation will negatively affect their business, understanding PSD3 requirements can help alleviate this concern.

Why a new Directive?

PSD3 and the Payment Services Regulation (PSR) are updates to the PSD2 legislation, brought in to further strengthen and standardize payments: PSR provides the rules and standards for implementing PSD3.

Key improvements are in the area of fraud prevention, consumer rights, and harmonization of payment rules across the EU.

PSD3 focuses on common types of fraud, such as authorized push payment (APP) fraud.

The benefits to merchants who implement PSD3 rules include:

• improved efficiency in the payment process,

• access to new anti-fraud and payment technologies, and

• better consumer experiences.

PSD3 implementation: How the directive impacts merchants

PSD3 improvements in payment accessibility, anti-fraud measures, and technological innovation are essential, given the average annual fraud loss per enterprise merchant of $10.6 million – as found in Ravelin’s Fraud & Payments Survey.

It’s this level of loss, alongside technological advances, that has driven the Payment Services Directive update. To capture this zeitgeist in payments, PSD3 has broadened and strengthened the scope of payment protection.

Merchants and PSPs must consider the following key points to maintain compliance:

1. Customers must be offered a broader range of payment technologies

Payment technology innovation is moving quickly. Options such as embedded finance and digital wallets are now common compared to the era of PSD2.

Offering a broader range of payment options is expected to improve the overall customer experience. Merchants can benefit by servicing customers who might otherwise go elsewhere for products and services. And those merchants who become early adopters are going to have the competitive advantage.

The EUDI Wallet is a case in point. The EU Digital Identity Framework Regulation (EU) requires Member States to offer at least one EU Digital Identity (EUDI) Wallet to all citizens and residents by November 2026. This is broadly in line with the implementation period for PSD3.

Merchants who support the EUDI Wallet will benefit from verified identity credentials.

2. You must authenticate all customers online

Stricter Secure Customer Authentication (SCA) requirements are coming in with PSD3.

Even customers without smartphones and biometrics must still be able to authenticate online. This requirement is in line with the EU’s mantra of improvement to accessibility for all.

Merchants who can offer reduced-friction authentication experiences will benefit from providing accessibility – and thus increasing their customer pool – while maintaining security and compliance.

3. Use advanced monitoring to reduce fraud

PSD3 expands and strengthens the use of transaction monitoring. Two new articles (Article 83 and 84) have been introduced to handle transaction monitoring requirements.

Transaction monitoring is there to limit fraud, with Article 84 requiring PSPs to "alert users 'via all appropriate means and media' – when new payment fraud emerges, and how to identify fraudulent attempts."

The European Banking Authority’s Regulatory Technical Standards for payment service providers calls for transaction monitoring that captures environmental and behavioral information such as customer location or spending habits.

One of the core requirements of PSD3 for handling fraud detection is for payment service providers (PSPs) to share data in real-time.

Fraud detection Techniques such as behavioral data and graph analysis generate real-time data that can be dynamically shared to rapidly identify fraud.

Graph analysis connects customer data points, such as email addresses and phone numbers, to uncover hidden connections between seemingly unrelated accounts, and is a critical anti-fraud tool that can be used to this end.

4. Move to offer seamless, improved customer experiences

Standardizing open banking APIs will enhance CX and expand payment options.

The Directive also allows payment providers to develop custom APIs to further improve the customer experience through uninterrupted service. This works to your advantage as a merchant, opening up plenty of opportunities for better customer journeys.

5. Sharing data will be an essential requirement

Fraud-related information must be shared between PSPs, in a move that embraces network data.

This data includes user location, transaction time, devices used, spending habits, transaction history, session data, and device IP.

This data sharing is achieved within the privacy constraints of GDPR by invoking anti-fraud requirements.

PSD3 deadlines for merchants

PSD3 was officially agreed on November 27, 2025, and so beginning, the adoption phase.

The implementation period is 18 months, but may extend to 24 months. The European Commission has set a likely date for the entry into force of PSD3 regulations for some time in 2027.

Who and where does the PSD3 apply to?

All EU member states and all European Economic Area (EEA) countries must comply with PSD3. But if a merchant sells to persons in the EU or EEA, they will also be required to meet PSD3 requirements – no matter where that merchant is located.

In the UK, PSD3 will not automatically apply, but it will likely mirror PSD2 requirements, meaning merchants that sell to EU or EEA countries will be required to comply. Exemptions are likely to align with PSD2, such as for low-value transactions.

It is unclear as of yet how the UK Government’s plans to change current SCA requirements to an “outcomes-based approach” will affect PSD3. If it does, however, it is likely to only affect merchants who sell domestically, as those who seek the custom of EU and EEA citizens will still need to follow PSD3.

A 2025 HM Treasury report, “Strategy for Future Retail Payments Infrastructure”, sets out a vision for how payments ought to be handled in the UK. The features of the report, such as support for open banking, anti-fraud measures, and robust authentication, somewhat mirror PSD3 requirements.

However, the report states that “The development and delivery of next-generation retail payments infrastructure will be a multi-year endeavor” so no short-term changes are expected to come of it.

Penalties for non-implementation

Penalties for businesses that sell to EEA nationals that fail to implement PSD3 measures by the end of the deadline are yet to be confirmed, but they are likely to be similar to PSD2 penalties.

PSD2 typically sets fines at up to 4% of annual revenue.

Specifically, Article 103 of the PSD2 legislation leaves the details of fines and other penalties to member states, mandating that “Such penalties shall be effective, proportionate and dissuasive.”

PSD3 PSP fraud liability updates

Customer rights are enhanced in PSD3. One development to watch is changes to the liability of online platforms for PSPs who reimburse defrauded customers.

In November 2025, EU Parliament and Council negotiators released a list of changes that impact liability standing:

• The PSP must implement appropriate fraud prevention mechanisms or be liable for covering customers’ losses. Transaction monitoring requirements are strengthened.

• PSPs must check that a payee’s name and unique identifier match. If a match is not made, a PSP must refuse the payment order and inform the payer.

• PSPs must provide spending limits and measures to reduce the risks of fraud.

• In the case of impersonation fraud, a PSP must “refund the full amount as long as the customer reports the fraud to the police and informs their PSP.”

Notably, the Council states this “If a fraudster initiates or changes a transaction, it will be treated as unauthorized transaction and the PSP will be liable for the full fraudulent amount.”

Harmonization is a critical aim of PSD3. This is reflected in the fact that non-bank PSPs now have the same bank account and payment system access as bank PSPs under PSD2.

However, with improved access comes broadened liability. PSPs must use “appropriate” fraud prevention mechanisms. If found to be lacking, they will be liable for customer losses. Monitoring, risk assessment, and transaction authentication are mandatory.

PSPs will be expected to increase awareness of payment fraud among their customers and staff. APP fraud and payer manipulation are a focus.

Under PSR, liability now includes areas such as spoofing and failure to cross-check a customer's name and IBAN. The European Commission highlighted spoofing, stating:

“PSD3 will go beyond the PSD2 tackling new types of fraud like ‘spoofing’ (impersonation fraud), which blur the distinction between unauthorised and authorised transactions, since the consent given by the customer to authorize a transaction is subjected to manipulative techniques by the fraudster…”

Do changes in open banking affect merchants?

Open banking has seen barriers to uptake because banking APIs were inconsistently designed and built. This led to implementation overhead and a lack of consistent and seamless customer experience.

PSD3 addresses these issues by standardizing open banking APIs.

Standard, consistent open banking rails can help improve uptake and smooth interoperability and usability for merchants and PSPs.

In practice, this can also ensure a more seamless experience for customers, as merchants will be able to take payments directly from banks via open banking connectivity. Payments are authorized and settled instantly using rails such as SEPA Instant. Recurring payments are automatically agreed and processed.

This increases options offered to customers, and can thus broaden your customer base when adopted. A2A bank payments are already on the rise across Europe, with consumers in Germany and the Netherlands found to prefer this payment method in our Global Payments Report 2026.

Real-time fraud detection is now a necessity

PSD3 has created an environment that helps minimize friction for customers while remaining secure and compliant. The Directive is updated to leverage technological advances that enable a shift from old, static, rules-based fraud detection to a more dynamic methodology.

Anti-fraud techniques such as machine learning, behavioral analysis, and contextual signals, provide a multi-pronged, dynamic, and predictive approach to fraud detection.

Meanwhile, the use of 3D Secure (3DS) authentication meets the requirement for Strong Customer Authentication – and its effective use also feeds into fraud detection, creating a virtuous cycle.

Interestingly, better protection from fraud was listed as the top motivator to adopt 3D Secure by merchants, rather than legislation.

Ravelin data published in the Global Payments Report 2026 shows increasing success rates for 3DS authentication, with the UK leading at 95% overall. Importantly, 3DS is used not only to reduce fraud but also to resolve disputes and prevent chargebacks. It is also used to comply with the updated PSD2 requirements for data sharing.

However, no single technology or tool will provide 100% anti-fraud coverage and PSD3 compliance. A robust SCA transaction optimization approach combined with AI-assisted technologies, including machine learning, graph analysis, and behavioral analysis, provides the optimal mix.

Concluding advice for merchants implementing PSD3

The golden chalice of risk mitigation with reduced friction for customers is the goal of PSD3.

The latest requirements of this Payment Services Directive update present an opportunity for merchants to reassess their payment strategy and attract new shoppers by adding new payment options, such as digital wallets, and leveraging the seamless nature of standardized open banking rails.

Payment strategy is intrinsically linked to security; options and security gain customer trust and loyalty. Merchants can begin the implementation process by evaluating core technology solutions such as 3DS, transaction optimization and advanced anti-fraud tools that include graph networks and behavioral analysis.

The implementation period may be up to 24 months but by starting the exploration today, a merchant can get ahead of the game to deliver exceptional options and experiences, keeping customers happy while preventing fraudulent transactions and chargebacks.

Related resources

• SCA transaction optimization guide & differences between out-of-scope, TRA and other exemptions
• 3D Secure Server & SDKs
• Why PSD2 gives merchants the upper hand around SCA
• PSD2 SCA & 3DS: A guide
• National Payments Vision: Is the UK abolishing PSD2 SCA?
  
• Global Payments Report 2026: Regulation, Authentication, Security