PSD2 vs PSD3: Everything You Should Know As An E-Commerce Merchant

The European payments landscape is entering a new chapter. The Payment Services Directive 2 (often referred to as the PSD2 Directive), introduced in 2016, reshaped the industry by enabling open banking, mandating access to bank accounts for third-party providers, and strengthening consumer protection through Strong Customer Authentication. While PSD2 drove innovation, its fragmented rollout across member states created inconsistencies, regulatory gaps and unnecessary friction for both merchants and consumers.
To address these challenges, the European Commission has proposed the Payment Services Directive 3 (referred to as the PSD3 Directive) alongside a new Payment Services Regulation. Together, they aim to strengthen fraud prevention, harmonise rules across the European Union and broaden the regulatory scope to cover new types of payment providers. For e-commerce merchants, this means stricter but clearer compliance obligations, improved reliability in open banking with companies like Noda leading the charge, and ultimately a more secure and user-friendly payments environment.
Key takeaways:
|
The move from PSD2 to PSD3 marks a big shift in European payments. PSD2, adopted in 2015, opened up banking by forcing banks to share account data with licensed third parties, which enabled services like Revolut, budgeting apps and new payment methods. It also introduced Strong Customer Authentication to cut fraud.
But PSD2 wasn’t perfect. Countries enforced the PSD2 regulations differently, some banks only offered bare-minimum APIs, and merchants faced friction from uneven user experiences and delays in compliance.
PSD3, expected around 2026–2027, aims to fix this. It will standardise APIs across Europe, cover instant payments and crypto, and strengthen fraud checks with tools like confirmation of payee. It also promises clearer rules and consistent enforcement across all member states.
For merchants, that means faster payments, fewer failed checkouts, and better access to modern payment options in a more unified European market.
PSD3 became necessary because payment services were evolving at a pace that PSD2 could not fully keep up with. The rise of new fraud tactics and increasingly sophisticated cyber threats demanded a stronger security framework.
At the same time, fragmented enforcement across EU countries created inconsistencies that frustrated both businesses and consumers. Liability gaps and cumbersome authentication processes meant that many users faced unnecessary friction during payments, while businesses struggled with uncertainty. With fintech players and non-bank payment service providers entering the market in force, it became clear that a more harmonised and forward-looking regulatory framework was required. The introduction of the PSD3 and PSR package is intended to deliver that EU-wide clarity.
According to the European Commission, PSD3 proposes a more unified approach to authentication and liability, while expanding the regulatory scope to encompass modern payment providers. It reinforces Strong Customer Authentication rules by making them stricter, more consistent and more technologically advanced.
It also expands the rights of payment providers to develop custom APIs, backed by fallback mechanisms that ensure uninterrupted services. Liability is clarified and broadened, particularly for fraud, payer manipulation and authorised push payment fraud. By introducing the PSR, the EU ensures that transparency, licensing, and operational requirements are standardised across member states. Another important element of PSD3 is the merger of the legal frameworks for payment institutions and electronic money institutions, which simplifies compliance. Institutions will also be required to prepare winding-up plans to ensure an orderly closure of their business in the event of failure.
Although PSD2 was a big step forward, it didn’t fully deliver on its promise. Strong Customer Authentication was rolled out unevenly, resulting in customers across Europe having very different checkout experiences. Regulators in each country interpreted the rules in their own way, which created extra complexity and legal grey areas for businesses. For shoppers, the extra security steps often felt confusing and added friction to the checkout. On top of that, banks built APIs in different ways, which limited how well open banking could work and made it harder for third parties to access data.
PSD3 is designed to fix these problems. It introduces consistent rules, stricter technical standards, and clearer legal frameworks to make payments smoother, safer, and more reliable throughout the EU.
The transition from PSD2 to PSD3 will bring several significant changes. Strong Customer Authentication will be harmonised and extended, with more advanced authentication methods such as behavioural biometrics and multi-device authorisation being supported. Fraud prevention obligations will be strengthened with requirements for real-time monitoring. The liability framework will be clarified, defining responsibilities more explicitly for banks, fintechs and other payment providers. Perhaps the most significant shift will occur with the transition from fragmented national rules to a consolidated EU-wide regulatory framework, facilitated by the PSD2 Directive and the directly applicable PSD2 Regulation.
One of the most exciting aspects of PSD3 is its impact on open banking. By tightening standards and improving API reliability, PSD3 will make it much easier for banks and providers to work together — with direct benefits for merchants.
Before PSD2 was implemented, Pay-by-Bank worked, but conversion often suffered because APIs were clunky, some banks were slow to adopt, and downtime was common. With PSD3, banks will face stricter uptime and performance rules, meaning merchants can finally rely on open banking as a mainstream alternative to cards, not just an additional payment method.
Previously, some banks provided only the bare minimum of account data, while others offered richer insights, resulting in inconsistent experiences. PSD3 will harmonise access, providing merchants (through their providers) with consistent data, such as balances, transaction history, and confirmation of funds, across the EU. That makes things like risk checks, instant refunds, and BNPL onboarding much smoother.
And with the Instant Payments Regulation working alongside PSD3, instant SEPA payments will no longer be optional or overpriced. For merchants, this means refunds are instantly credited to customers — improving trust — while incoming payments settle in seconds, strengthening cash flow. This is why so many of them are searching for PSD3 updates and paying close attention.
Strong Customer Authentication is central to PSD3. The new directive requires more consistent and frequent use of multi-factor authentication across all member states. It introduces additional methods, such as trusted beneficiary lists and biometric verification, as well as the use of multiple devices for authentication. By refining the exemptions and applying risk-based approaches, PSD3 reduces unnecessary friction for consumers while still maintaining robust protection against fraud. Accessibility is another important consideration, with the rules aimed at ensuring that all users, including the elderly and those with disabilities, can benefit from secure payment services.
The impact of PSD3 on the EU market will be far-reaching. Banks, payment service providers and merchants will need to comply with stricter obligations and assume clearer liability. While this will increase compliance costs, it will also lead to stronger fraud prevention and greater consumer confidence.
Fintech firms in particular will benefit from richer data access and the ability to offer more reliable open banking services. Harmonisation of rules will simplify cross-border operations, making it easier for businesses to scale across Europe. For consumers, the combination of greater security and smoother experiences should result in higher trust and wider adoption of digital payments.
The European Commission released the first proposals in mid-2023, with the European Parliament adopting amendments by spring 2024. Official adoption and transposition into national laws are expected to take place no sooner than 2026. Once adopted, companies will generally have an eighteen-month grace period to comply with the new requirements.
Although PSD3 is still way ahead, open banking is already a widely adopted framework across Europe, making payments safer and easier for both merchants and consumers. Unlike card processing, it cuts costs, reduces fraud, and delivers faster settlement. With Noda, you can capitalise on this shift today.
Noda helps you stay ahead of the curve with a unified payments platform built to improve conversions:
Book a free demo to see how Noda can help you operate within the PSD2 and PSD3 frameworks and reduce your transfer fees while improving checkout conversion rates.
Introduced in 2016, PSD2 enabled open banking, but suffered from an inconsistent rollout. PSD3, backed by the PSR, unifies rules across Europe, strengthens authentication and fraud prevention, and widens scope to cover fintechs and non-bank providers.
The directive is expected to be adopted between 2025 and 2026, with an eighteen-month transition period for compliance.
It will improve API standardisation and reliability, making open banking more accessible and fostering innovation by enabling stronger collaboration between banks and third-party providers.
PSD3 expands and unifies authentication rules across Europe, supporting advanced biometric methods, trusted beneficiary lists and multi-device verification while applying dynamic, risk-based exemptions to reduce friction.
The UK is expected to continue implementing PSD2 while introducing its own regulatory updates, resulting in divergence from the EU framework.