PSD3 is here — what actually changes for merchants
PSD3 does not tear up PSD2 so much as finish what it started. After nearly a decade of uneven national implementations, fragmented SCA exemptions, and a payments industry that quietly worked around the gaps, the European Commission's third Payment Services Directive — together with the new Payment Services Regulation that sits alongside it — pulls the rules back into one coherent shape. For merchants, the practical question is not "what's in the text" but "what changes between Monday morning and the next acquirer review."
The first shift is structural. PSD3 splits the old directive into two instruments: a directive covering licensing and supervision, and a regulation that applies directly across every member state without national transposition. That second part matters more than it sounds. The single biggest source of friction under PSD2 was that twenty-seven regulators interpreted the same article in twenty-seven slightly different ways, and a merchant accepting payments across the EU had to track every one of them. PSR replaces most of that surface with a single, directly applicable rulebook.
Strong customer authentication gets the most visible refresh. The exemption framework — low-value, trusted beneficiary, transaction risk analysis, merchant-initiated transactions — survives, but the thresholds and the conditions are harmonised and, in several cases, loosened. Trusted-beneficiary lists become genuinely portable across banks. Transaction risk analysis exemption thresholds are clarified so that a competent acquirer with a low fraud rate can actually use them at scale, rather than watching issuers decline the exemption on principle. The low-value exemption ceiling moves up, which removes a meaningful chunk of unnecessary 3DS challenges from small-ticket commerce.
Merchant-initiated transactions get the cleanup they have needed since 2019. PSD3 draws a sharper line between a true MIT — a subscription renewal, a top-up, a usage-based charge — and a customer-initiated transaction that merely uses a stored credential. The mandate setup flow is standardised, the data elements that must travel with every subsequent MIT are spelled out, and issuers lose the discretion to silently re-challenge a properly flagged MIT. For any business running recurring billing, this is the single biggest operational win in the package.
The headline is not new powers for regulators. It is fewer reasons for issuers to decline a legitimate transaction.
Fraud liability shifts in ways that finally bite. Under PSR, banks that wrongly classify a transaction — declining a valid SCA exemption, failing to honour a trusted-beneficiary listing, mishandling a confirmation-of-payee check — carry the loss rather than passing it to the merchant or the consumer. Authorised push payment fraud, the category that has quietly become the largest single fraud loss in European retail banking, gets a mandatory reimbursement regime modelled on the UK's, with clear allocation between the sending and receiving institutions. For merchants, the practical effect is that issuer behaviour gets measurably more cooperative, because the cost of being unhelpful now lands on the issuer's own P&L.
Open banking finally gets the commercial framework it has been missing. PSD2 mandated free access to basic account APIs and then watched banks deliver the bare minimum. PSD3 keeps the free baseline but explicitly permits a premium API tier — variable recurring payments, richer data, better uptime SLAs — that banks can charge for under regulated terms. The result is a healthier market for the providers building on top of these rails: a Yaspa or a Contiant can now sign a commercial agreement with a bank for the API quality their merchants actually need, rather than depending on goodwill.
Non-bank PSPs get a friendlier path to scheme access. One of the quieter but more consequential changes in PSR is the requirement that operators of designated payment systems — including the major card schemes and instant-payment rails — give licensed payment institutions and e-money institutions fair, non-discriminatory access on objective criteria. The era in which a non-bank had to rent a sponsor bank for every rail it wanted to touch is not over, but the leverage shifts. Expect more direct participation, lower stack costs, and over time, slightly tighter pricing reaching merchants.
Data rules get sharper too. PSR aligns more closely with GDPR on what counts as a permitted purpose for processing payment data, narrows the grounds on which a PSP can refuse a data access request from a regulated third party, and introduces explicit penalties for the "API works but the data is wrong" pattern that has frustrated open banking aggregators for years. The downstream effect for merchants is a more reliable account information layer underneath any product that depends on it — affordability checks, onboarding, reconciliation, treasury.
What should a merchant actually do this year? Three things. First, ask the acquirer for a written view of how their SCA exemption strategy changes under PSR, and what the expected lift in authorisation rate is — if the answer is vague, that is a signal. Second, audit every recurring billing flow against the new MIT definitions and make sure the mandate data is captured in the standardised shape now, not in the panic six weeks before enforcement. Third, revisit any open banking integration that was parked because the API quality was not good enough; the commercial tier changes the conversation, and the providers building on top of it have spent the last two years getting ready.
PSD3 is not a revolution. It is the regulation that finally makes PSD2 do what it was supposed to do — fewer pointless declines, cleaner recurring payments, real liability when issuers misbehave, and a credible commercial path for the open banking ecosystem. For merchants who run a serious payments operation, the upside is measured in basis points of authorisation rate and minutes of settlement time, not in headlines. Which is exactly the kind of regulation that ends up mattering most.