What is PSD3 and how does it differ from PSD2?

PSD3 (Payment Services Directive 3) is the upcoming revision of PSD2, designed to further enhance security, innovation, and consumer protection in digital payments. Unlike PSD2, PSD3 will be implemented as a Payment Services Regulation (PSR) rather than a directive, ensuring uniform enforcement across all EU member states.

• PSD2 was a directive, meaning EU countries had flexibility in how they incorporated it into national laws.
• PSD3 (PSR) will be a regulation, which applies directly and uniformly across all EU countries without local variations.

• PSD2 introduced Strong Customer Authentication (SCA), requiring two-factor authentication (2FA) for most electronic payments.
• PSD3 aims to refine SCA by:
  • Clarifying exemptions and risk-based application of authentication.
  • Better integration with modern authentication methods, including passkeys and biometric authentication.
  • Reducing friction in user authentication without compromising security.

• PSD3 introduces stronger consumer rights for fraud prevention, refund policies, and data protection.
• Payment service providers (PSPs) will have clearer accountability rules in cases of fraud.

• PSD3 improves access for FinTechs and non-bank payment service providers (PSPs) by allowing them greater access to banking infrastructure.
• This fosters more competition and innovation in digital payments.

• PSD3 strengthens fraud detection mechanisms by mandating enhanced transaction monitoring and more rigorous identity verification.
• It also introduces clearer guidelines for outsourcing authentication, allowing third-party authentication providers like passkey services to integrate more effectively.

While passkeys are not explicitly mentioned in current PSD3 drafts, the regulation's focus on modern authentication methods and phishing-resistant MFA aligns well with passkey technology. The transition to PSR ensures standardization, making passkeys a strong candidate for compliance with future authentication requirements.

PSD3 builds upon PSD2’s foundation but increases security, eliminates national inconsistencies, and fosters digital payment innovation. Organizations preparing for PSD3 should focus on phishing-resistant authentication solutions like passkeys to stay ahead of regulatory changes.