What is PSD3? How the EU’s payment services directives might change

By now, you and your business are likely well aware of PSD2. It was a directive passed by the EU in 2015 and slowly rolled out over the following years to modernise and secure the payment services and banking industry.
 
Today, the EU is preparing to launch PSD3, the third iteration of its Payment Services Directive regulations. In this post, we will look at what you can expect from PSD3, how it might differ from its predecessor, and when it will take effect. 

What is PSD3?

Similar to the directives that have preceded it, PSD3's focus is to address challenges in the banking and financial sector, like transaction security, fraud, open banking, and so on.
 
More specifically, the PSD3 framework will address issues including electronic payments and the banking ecosystem in the European single market area (EEA). It also aims to update several of the restrictions and rules laid out by PSD2, as these have become less relevant and accurate in recent years.

How is PSD3 different from PSD2?

Of course, if you're familiar with PSD2, then the basic goals of PSD3 shouldn't seem too unfamiliar. To help you better understand what sets PSD3 apart from PSD2, here are some of the key differences between these two directives.

Readdressing current open banking requirements

One of the key considerations of PSD3 is whether or not the open banking requirements laid out by PSD2 are adequate. Open banking is great for consumers, allowing them to move assets more easily and transact between accounts held in different financial institutions. 

However, it can pose security risks, and lax requirements has lead to predatory businesses taking advantage of loopholes, consumers, and financial organisations. 

Exploring new kinds of Strong Customer Authentication (SCA)

A major aspect of PSD2 was its definition of Strong Customer Authentication or SCA. PSD2 required at least two forms of authentication to grant access to a customer's account or to authorise certain transactions.

In 2015, SCA was still a relatively new concept, where today, there are a number of techniques used to verify and authenticate a customer's access to an account. It's possible that PSD3 will expand the definition of SCA to allow for these new forms of authentication. 

Considering an extension for the SCA period

Under PSD2, the period determining when SCA will be required is currently 90 days. This means that every 90 days, a customer will need to pass an SCA test to access their account and/or assets. 

PSD3 is considering doubling this period from 90 days to 180 days. Although this may pose security concerns, it would be more convenient and sustainable for customers and businesses. 

Potentially changing contactless limits

As payment technology has continued to develop at pace the use of contactless payments has grown. However, these contactless payments can become less secure very quickly if criminals are able to fraudulently copy payment cards to a device in their control. 

To protect against this, PSD2 set transaction limits on contactless payments. PSD3 might change these limits, making it easier or more difficult for contactless payments to take place, depending on how the limits change. 

Disclosing currency conversion costs before transactions happen

One change that could be coming with PSD3 that would almost certainly benefit consumers would be requiring financial institutions to confirm how much currency conversions will cost before a transaction occurs. 

This would help individuals make decisions before converting between currencies, though it could require some backend development for banks and other companies. 

Rethinking PSD2's exceptions

PSD3 might change PSD2's exceptions. In this case, exceptions are just what they sound like — instances where the normal PSD2 protocols are altered or not applied. 

PSD3 could feature new exceptions, making certain types of transactions easier, more challenging, or more/less secure. It will be up to banks and other financial institutions to update their processes and policies to keep up with PSD3. 

When will PSD3 become law?

Fortunately, for now, there isn't a deadline attached to PSD3. The EU is still deciding on the finer details of PSD3, which means it will likely be some time before we see an implementation deadline. 

For now, we're expecting a deadline to come within the next few years, and we expect a first draft of PSD3 will be available for the public to view within the year.