By now, you and your business are likely well aware of PSD2. It was a directive passed by the EU in 2015 and slowly rolled out over the following years to modernise and secure the payment services and banking industry.
Today, the EU is preparing to launch PSD3, the third iteration of its Payment Services Directive regulations. In this post, we will look at what you can expect from PSD3, how it might differ from its predecessor, and when it will take effect.
Similar to the directives that have preceded it, PSD3's focus is to address challenges in the banking and financial sector, like transaction security, fraud, open banking, and so on.
More specifically, the PSD3 framework will address issues including electronic payments and the banking ecosystem in the European single market area (EEA). It also aims to update several of the restrictions and rules laid out by PSD2, as these have become less relevant and accurate in recent years.
Of course, if you're familiar with PSD2, then the basic goals of PSD3 shouldn't seem too unfamiliar. To help you better understand what sets PSD3 apart from PSD2, here are some of the key differences between these two directives.
One of the key considerations of PSD3 is whether or not the open banking requirements laid out by PSD2 are adequate. Open banking is great for consumers, allowing them to move assets more easily and transact between accounts held in different financial institutions.
However, it can pose security risks, and lax requirements has lead to predatory businesses taking advantage of loopholes, consumers, and financial organisations.
A major aspect of PSD2 was its definition of Strong Customer Authentication or SCA. PSD2 required at least two forms of authentication to grant access to a customer's account or to authorise certain transactions.
In 2015, SCA was still a relatively new concept, where today, there are a number of techniques used to verify and authenticate a customer's access to an account. It's possible that PSD3 will expand the definition of SCA to allow for these new forms of authentication.
Under PSD2, the period determining when SCA will be required is currently 90 days. This means that every 90 days, a customer will need to pass an SCA test to access their account and/or assets.
PSD3 is considering doubling this period from 90 days to 180 days. Although this may pose security concerns, it would be more convenient and sustainable for customers and businesses.
As payment technology has continued to develop at pace the use of contactless payments has grown. However, these contactless payments can become less secure very quickly if criminals are able to fraudulently copy payment cards to a device in their control.
To protect against this, PSD2 set transaction limits on contactless payments. PSD3 might change these limits, making it easier or more difficult for contactless payments to take place, depending on how the limits change.
One change that could be coming with PSD3 that would almost certainly benefit consumers would be requiring financial institutions to confirm how much currency conversions will cost before a transaction occurs.
This would help individuals make decisions before converting between currencies, though it could require some backend development for banks and other companies.
PSD3 might change PSD2's exceptions. In this case, exceptions are just what they sound like — instances where the normal PSD2 protocols are altered or not applied.
PSD3 could feature new exceptions, making certain types of transactions easier, more challenging, or more/less secure. It will be up to banks and other financial institutions to update their processes and policies to keep up with PSD3.
Fortunately, for now, there isn't a deadline attached to PSD3. The EU is still deciding on the finer details of PSD3, which means it will likely be some time before we see an implementation deadline.
For now, we're expecting a deadline to come within the next few years, and we expect a first draft of PSD3 will be available for the public to view within the year.