Tap to Pay on iPhone

Accept contactless payments right on your iPhone with the Mollie app

Learn more

Accept payments

Online payments

Accept and manage online payments

In-person payments

Take payments with terminals and devices

Checkout

Offer a checkout optimised for conversion

Recurring payments

Collect recurring and subscription payments

Acceptance & Risk

Prevent fraud and optimise conversion

Embedded payments

Connect for platforms

Embed payments on your platform

Collect revenue

Payment links

Create, send and customise payment links

Invoicing

Crea

Grow your business

Capital

Get fast funding with flexible repayments

Partners

For Agencies

Learn about our Agency Partner Program

For SaaS and Ecommerce

Explore our SaaS and Ecommerce Partner Program

Technical resources

Developers portal

Discover developer resources and updates

Libraries

Integrate Mollie with ready-to-go libraries

Discord community

Join our developer community

Mollie API

Docs

Explore our API documentation and guides

Status

Check our current system status

Changelog

Read up on recent technical changes

About Mollie

Pricing

View our pricing

About us

Learn more about our story and values

News

Read the latest Mollie news

Careers

Come work for us - we're hiring!

Mollie content

Articles & guides

Discover content that can help your business

Success stories

See how we support our customers

Papers

Download our papers

Contact

For shoppers

Find out why Mollie is on your bank statement

For Mollie customers

Reach out to our customer support team

Contact sales

Discover how we can help your business

Content

News

Growth

Success stories

Papers

Content

News

Growth

Success stories

Papers

News

Growth

Success stories

Papers

Content

News

Growth

Success stories

Papers

Growth

Everything you need to know about PSD3 and PSR

Understand how PSD3 and PSR impact your European business, from building trust to fighting fraud and the 2026/27 compliance timeline.

Understand how PSD3 and PSR impact your European business, from building trust to fighting fraud and the 2026/27 compliance timeline.

2 Jul 2024

WARNING: Despite our best efforts, this article contains a frankly astonishing number of abbreviations and acronyms. Please feel free to consult the glossary at the bottom. 

If you’ve spent any time working with European payments, you’ll know they can be a bit of a labyrinth. With different countries historically operating their own systems, even a simple cross-border transaction can lead to frustration.

This is why, back in 2007, the European Commission introduced the first Payment Services Directive (PSD1). 

This foundational blueprint made the Single European Payments Area (SEPA) possible, and by 2009, it had become law across the EU member states.

Since then, we’ve seen payments shift from ‘plastic card in a wallet’ to ‘digital cards stored on a phone’ and even ‘biometrics on a watch’. So, to keep up, the rules are evolving again. 

The EU is now finalising the third payment services directive (PSD3) and the payment services regulation (PSR). These rules are designed to apply consistently – from Paris to Prague.

Whether you’re a small business or a scaling marketplace, you’ll need to comply. But there is an upside: these regulations are actually a tool for building trust and stopping fraud.

This guide breaks down exactly what PSD3 and PSR are, why they matter, and how you can prepare your business for the next evolution of European finance.

The Payments Report 2026

Get the operational playbook to automate complexity and turn transaction data into revenue.

Download the report

Download the report

Introduction to PSD3 and PSR

These two measures are an upgrade to the existing European payments framework.

PSD2 – adopted in 2015 – gave us open banking and Strong Customer Authentication (SCA). It was a start. But since then, the market has moved fast. To keep pace with digital platforms and more sophisticated fraud, the European Commission is introducing a new two-part package: PSD3 and PSR.

What is PSD3?

PSD3 focuses on the mechanics behind the scenes. It sets the bar for who is allowed to handle your money and how strictly they need to be supervised.

The biggest change is the merging of PIs and EMIs:

  • Payment Institutions (PIs): These are the companies that move money from point A to point B, but aren't supposed to hold onto it for long.

  • Electronic Money Institutions (EMIs): These operate more like digital wallets. They can move money, but they can also store it for you indefinitely.

In the past, these two groups had different licences and slightly different rules. With PSD3, they play by the same rulebook. For you, this simplified landscape should mean more secure transactions, fewer false declines at checkout, and more competitive fees.

Beyond licensing, PSD3 strengthens how payment firms are governed. This covers everything from outsourcing to how they operate across borders. While this happens mostly in the background, it dictates which providers can serve you and how resilient their operations actually are.

We’ll dig into these details in our ‘key changes’ section, but first, let’s take a closer look at PSR. 

What is PSR?

If PSD3 is the blueprint for the companies handling the money, the Payment Services Regulation is the actual rulebook for every transaction. This means that whether your customer is in Berlin or Barcelona, the core operational rules for security, transparency, and fraud remain consistent across the EU.

For growing European companies, this levels the playing field, simplifies doing business across borders, and provides a more predictable way to scale across Europe. There are three major parts:

  1. Fighting fraud: New rules to tackle ‘spoofing’ (where scammers pretend to be banks). If a bank or payment provider fails to spot a clear fraud attempt, the liability might shift away from the user. It’s a move designed to make the whole ecosystem more trustworthy.

  2. SCA 2.0: The new rules aim to reduce unnecessary SCA challenges for low‑risk transactions and encourage more user‑friendly, phishing‑resistant methods such as biometrics, while tightening controls around device and wallet enrolment.

  3. Clearer identities: We’ve all seen cryptic codes like ‘WP-TX-998’ on a bank statement and wondered what we bought. PSR mandates ‘transaction transparency,’ meaning bank statements must show your actual commercial name. This is a massive win for reducing those accidental chargebacks that happen simply because a customer didn't recognise the bill.

Why is this happening now?

PSD2 laid much of the groundwork for today’s digital payments. But as technology and fraud tactics have evolved, PSD3 is effectively a much-needed security and capability update. That matters because the way we pay has arguably changed more in the past 10 years than in the 50 years before that.

The European Commission is driving this update for three clear operational reasons:

1. Keeping up with fraud

Strong customer authentication reduced basic card theft, but it simply pushed scammers to become more creative. We're seeing a massive rise in AI-powered scams, from social engineering to spoofing. And as instant, account-to-account payments become the new European standard, transactions become irrevocable – meaning the money is just gone.

The new rules target these sophisticated scams directly. Regulators are widening liability to ensure the ecosystem remains trustworthy for your customers.

2. Making ‘Open Banking’ more accessible

Open Banking was the big promise of PSD2, but the reality was often clunky. Many banks provided slow or unreliable connections (APIs) to fintech apps, leading to timeouts and frustrated customers. PSR now forces banks to provide dedicated, high-performance interfaces. It also mandates inclusive design, ensuring authentication works for everyone, including the elderly or those with visual impairments who might rely on voice recognition.

3. Creating an international standard

Under PSD2, different EU countries interpreted the rules slightly differently, meaning that a fintech in Ireland might face different hurdles than one in Italy. By introducing PSR, the EU is providing one set of rules for the whole continent, making it easier for you to scale your business from one country to twenty-seven without changing your entire checkout flow.

Key changes introduced by PSD3 and PSR

If you’re comparing PSD3 vs PSD2, the biggest shift is moving from providing access to ensuring quality. PSD2 opened the door for fintechs, but PSD3 and PSR are here to make sure that door stays open, the hinges don’t squeak, and the security alarm actually stops fraudsters.

The new framework splits the rules into two categories: how companies are run (PSD3) and how payments actually happen (PSR). Here’s what’s changing:

1. Strong Customer Authentication

Under PSD2, SCA (that two-factor check at checkout) was a bit of a one-size-fits-all hammer. PSR refines this into a surgical tool:

  • Frictionless by default: It encourages more exemptions for low-risk payments, meaning fewer annoying pop-ups for your regular customers.

  • Biometrics first: There is a strong preference for biometrics (Face ID, fingerprint) because they’re harder to steal than SMS codes.

  • Secure digital wallets: PSR specifically requires robust SCA at the time of digital wallet enrolment. This stops a fraudster from putting your card on their phone.

  • Fewer false declines: The rules support better sharing of transaction risk signals, so issuers can make more accurate approval decisions without forcing extra customer steps every time.

2. Enhanced user accessibility and rights

Payments should work for everyone, not just the tech-savvy.

  • Inclusivity by design: For the first time, there’s a legal mandate to ensure SCA is accessible to users with disabilities or those who don’t own a smartphone.

  • Empowering the user: If a customer uses a Payment Initiation Service (PIS) or Account Information Service (AIS), their rights are now explicitly protected. They get consent dashboards to see exactly who has access to their data and can revoke it in one tap.

3. Fraud prevention and liability

This is the most important part when it comes to your daily operations.

  • Verification of payee (VoP): Before a customer hits send, their bank must verify that the name on the account matches the IBAN. If the bank fails to warn the customer of a mismatch, the bank – not the customer or business – may be liable for the loss.

  • Spoofing protection: If a fraudster impersonates a bank employee to trick a customer into a transfer, the bank is now much more likely to be on the hook for a refund.

  • Expanded liability: Where required security measures aren’t properly applied, liability may not sit only with the customer or the business. Other parties in the flow may bear more liability.

  • Fraud signal sharing: Regulated providers will be able to share relevant fraud signals across the ecosystem, improving detection without adding friction for legitimate customers.

4. More reliable Open Banking

Under PSD2, Open Banking was often clunky because bank APIs (the digital connectors) simply weren’t as robust as they needed to be. With PSD3, they’ve upgraded the system in two ways:

  • Performance mandates: Banks are now required to provide dedicated, high-quality interfaces, aiming to improve reliability and reduce disruptions. 

  • Consent dashboards: Your customers will get a control panel in their banking app where they can see any data-sharing permissions they’ve given to apps, and cancel them with one click. This should reduce ‘ghost permissions’, improve customer trust, and cut support overhead.

5. Beyond payments: The FiDA Link

You might hear the term FiDA (financial data access) pop up from time to time. While PSD3 focuses on your payment account, FiDA has more all-encompassing goals. It aims to expand Open Banking principles to your entire financial life, including insurance, pensions, and investments. 

In many ways, PSD3 is a test case for this broader EU vision of open finance.

6. Direct access to payment systems (for non-bank PSPs and EMIs)

The new rules reinforce fair, non‑discriminatory access to payment systems and accounts for non‑bank PSPs and e‑money providers, reducing over‑reliance on a small number of sponsor banks.

For payment providers, this can reduce dependency on sponsor banks and improve resilience. For businesses, the long-term effect should be more competition and faster product innovation, though outcomes will depend on implementation and market dynamics.

7. Clearer currency conversion fee disclosures (FX transparency)

PSR strengthens transparency requirements for currency conversion charges in certain payment flows (such as credit transfers and remittances). Where currency conversion applies, providers may need to show the FX mark-up as a percentage over the ECB reference rate before the customer initiates the transaction. 

For businesses selling cross-border, this can affect checkout and receipt messaging, and could reduce disputes driven by unexpected FX costs.

Now that we’ve covered the why, let’s move on to the who and when.

PSD3/PSR expected timeline

In 2026, we move from debate to delivery. While the headlines have been circulating for years, the actual dates you need to mark in your calendar are finally coming into focus.

Here’s the roadmap based on the current legislative direction. Note that while EU timelines can shift, the destination is fixed.

Date

Milestone

What it means for you

H1 2026

Formal adoption

The EU Parliament gives the final green light. The texts are published in the official journal, and the clock officially starts ticking.

Late 2026

The transition begins

The 18-to-24-month grace period kicks in. This is when your payment provider starts upgrading their tech stack to meet the new PSR standards.

Early 2027

Technical standards (RTS)

EBA finalises technical standards clarifying how key requirements should work in practice (for example SCA details, interface performance expectations, and security controls)

Late 2027 / Early 2028

Full application

This is the deadline. By this point, your checkout must be fully compliant with PSR rules (like SCA 2.0 and clear bank statements).

Who do PSD3 and PSR affect?

Ultimately, these changes touch everyone in the European market. But the operational impact isn't evenly distributed.

Most retail businesses will feel the impact indirectly (via their provider), while platforms and marketplaces face a much steeper compliance climb.

  • Companies (ecommerce and retail): Mostly indirect impact via your PSP, updates to SCA/3D Secure flows, clearer statement descriptors, fraud handling processes, and more reliable pay-by-bank connections.

  • Platforms and marketplaces: Higher compliance risk, with tighter rules around exemptions (like the commercial agent exemption) and greater scrutiny of fund flows, often requiring regulated payment setups or a licenced partner.

  • Payment service providers (PSPs) and banks: These rules directly impact authorisation/supervision requirements, Open Banking interface performance expectations, fraud controls, transparency rules, and clearer liability frameworks.

  • Consumers: Stronger protection against spoofing and misdirected transfers (e.g., via Verification of Payee), clearer transaction information, and more accessible authentication options.

PSD2 vs. PSD3 at a glance

Feature

PSD2 

PSD3/PSR 

Focus

Access & basic security

Performance & fraud prevention

Fraud check

2-Factor (SCA) at checkout

SCA at enrollment + IBAN name matching

Open Banking

Mandatory access (often clunky)

Stronger uptime and performance standards

Rule style

Fragmented national interpretations 

Single EU-wide rulebook (PSR)

Licences

Separate PIs and EMIs 

Unified PI/EMI licensing framework

How does PSD3 and PSR impact platforms and marketplaces?

If you run a platform or a marketplace, you occupy a unique space in the payment flow where you manage a network of multiple buyers and sellers. PSD3 and PSR introduce tighter rules to ensure that if you move money for others, you either hold a licence or you use a partner who does.

Cracking down on ‘commercial agents’

For years, many platforms or marketplaces have relied on the ‘commercial agent exemption’ to avoid the headache of obtaining a full payment licence. The new rules are tightening the screw on this exclusion.

The PSR makes it clear that this exemption only applies if you act exclusively for either the payer or the payee. You cannot be an intermediary serving both.

Additionally, you must have a ‘real margin’ to negotiate the sale. If your platform simply sits in the middle, handles the funds, and uses a standard automated checkout, you may no longer qualify, however the scope of the commercial agent exemption is still being negotiated, and the final position will only be clear once EU lawmakers agree on the final PSR text.

To stay compliant without the headache of a bank-level licence, you’ll need to rely on a regulated partner (like Mollie) to manage your money flows.

The Limited Network Exclusion (LNE)

If you offer store-branded gift cards or fuel cards, you likely use the Limited Network Exclusion. This allows you to run your own payment system without a full banking licence, provided funds can only be spent at your locations or for a specific purpose.

PSD3 and PSR haven’t removed this, but they have tightened the rules:

  • The rule: Your cards must stay truly limited. If a gift card is accepted at so many unrelated shops that it effectively functions like a general debit card, you can expect a few questions. 

  • The goal: To prevent these closed-loop systems from effectively becoming general-purpose payment products – without the safeguards and oversight that apply to regulated payment services.

Improved settlement and money flow

Because PSR standardises how money moves, marketplaces can expect more predictable settlement times across EU borders.

The trade-off is higher scrutiny. You can expect tighter rules on how customer funds are safeguarded (segregation, reconciliation, and controls), especially if you touch the funds before paying out sellers.

The upside: The regulation means you won't have to build separate payout logic for your sellers in different EU markets. One rulebook covers them all.

Want to see exactly how these changes affect your specific business model? Read our in-depth guide: PSD3 for platforms and marketplaces.

Preparing for PSD3 and PSR: A compliance roadmap

Compliance is hard enough without it becoming a last-minute scramble. Here’s your step-by-step checklist to stay ahead of the 2027/28 deadlines.

  1. Audit your current exemptions: If you are currently relying on the Commercial Agent exclusion, review your contracts now. Do you have a "real margin" to negotiate? If not, it’s time to move to a regulated payment model.

  2. Talk to your PSP about SCA 2.0: Ask your provider when they will be implementing "SCA at enrollment" for digital wallets. This will be a mandatory requirement soon.

  3. Review your bank statement descriptors: Ensure your system is configured to send your Commercial Trade Name to your payment provider so it appears clearly on customer statements.

  4. Fraud data readiness: PSR supports stronger fraud prevention and clearer liability. So make sure your systems (and your PSP integration) can handle richer fraud signals, improved descriptors, and any new reporting/operational processes your provider introduces.

Staying compliant with Mollie

At Mollie, we’ve always believed that regulation should be invisible to your customers. Our job is to handle the complexity so you can focus on growth.

We are taking a proactive compliance-first approach to PSD3 and PSR:

  • Simplified SCA: We continuously optimise 3D Secure flows to reduce friction and are preparing for PSR updates, including stronger requirements for wallet enrolment authentication.

  • Built-in transparency: Our APIs are being updated to ensure that transaction transparency (clear business names on statements) happens automatically for all our users.

  • Platform-specific solutions: Through Mollie Connect, we provide marketplaces with a fully compliant way to route funds between buyers and sellers, completely removing the need for you to worry about licensing.

You can also manage descriptors, monitor disputes, and track payment performance in the Mollie Dashboard.

Conclusion

The shift from PSD2 to the PSD3/PSR framework marks a turning point for European commerce. It’s  a move toward a more mature, secure, and unified financial landscape.

While the technical details, compliance and exclusions can seem daunting, the goal is simple: to make payments work better for everyone. By preparing now, you’re building a more trustworthy, frictionless experience for your customers.

Want to turn European complexity into commercial power? 

The Payments Report 2026 shows you how to use technology to handle the heavy lifting of routing, compliance, and reconciliation – allowing your human experts to stop fighting fires and start driving new growth.

FAQs

Q: Do I need to get a PSD3 licence as an ecommerce merchant? 

A: No. Unless you are a large marketplace handling funds yourself, you don’t need a licence. Your payment service provider carries the licence for you. However, you must ensure your PSP is compliant by the 2027/28 deadlines.

Q: What is the difference between VoP and the UK’s Confirmation of Payee? 

A: They are very similar. Both verify that the account name matches the IBAN/Account number. The major difference is that VoP is the mandatory version being rolled out across the entire EU/EEA under the PSR.

Q: Will PSD3 make my checkout slower? 

A: Actually, it should make it smoother. While security is tighter, the rules for exemptions are being improved. This means low-risk customers will face fewer interruptions, while ‘SCA at Enrollment’ handles the heavy security lifting before the customer even gets to your checkout.

Q: I have a PSD2 licence for my fintech. When do I need to reapply? 

A: Existing licences are expected to remain valid for a transitional period (currently discussed at around 18–30 months after the new rules start to apply), during which you will need to demonstrate compliance with PSD3 or apply for re‑authorisation under the new framework

Q: Do PSD3 and PSR apply to UK businesses or UK customers?

A: Not directly, the UK has its own payment rules. However, if you sell into the EU/EEA or use EU/EEA-based payment providers for EU/EEA customers, parts of your payment flow may need to meet EU requirements (for example, SCA-related rules and transparency obligations).

Q: When do I need to be compliant with PSD3 and PSR? 

A: While the final rules are being adopted in 2026, most businesses have a grace period. You should aim to have your systems fully compliant with the new transaction rules (PSR) by late 2027 or early 2028.

Q: How does IBAN name matching (VoP) affect my checkout? 

A: It’s a win for trust. When a customer pays via bank transfer, their bank will verify your business name. If it matches, they get a green light. This reduces manual errors and prevents your customers from accidentally sending money to fraudsters.

Q: Will the merging of PIs and EMIs change my fees? 

A: It’s possible, but probably not. This change is mostly for the providers themselves. It actually encourages more competition, which generally helps keep transaction fees stable or lower in the long run.

Glossary

AIS (Account Information Services): A service that lets you see your financial data from different bank accounts in a single app.

API (Application Programming Interface): The digital connector that allows a bank’s system to talk to a fintech’s system securely.

EMI (Electronic Money Institution): A company authorised to issue "digital cash" and store it in a wallet (e.g., Revolut).
EU/EEA (European Union/European Economic Area: A collective geographic and economic zone comprising the 27 EU member states plus Iceland, Liechtenstein, and Norway, established to ensure the free movement of persons, goods, services, and capital within the European Single Market. 

FiDA (Financial Data Access): The next step after Open Banking, extending data sharing to insurance, pensions, and investments.

LNE (Limited Network Exclusion): A rule allowing ‘closed’ systems (like store gift cards) to operate without a full banking licence.

PI (Payment Institution): A company authorised to move money but not necessarily store it long-term (e.g., Stripe or Mollie).

PIS (Payment Initiation Services): A service that lets you pay a merchant directly from your bank account at checkout.

PISP (Payment Initiation Service Provider): The company that builds the "Pay by Bank" button on a website.

PSD / PSD2 / PSD3 (Payment Services Directive): The European laws that set the rules for who can handle payments and how.

PSR (Payment Services Regulation): The new EU rulebook that ensures payment rules are identical in every member state.

SCA (Strong Customer Authentication): The two-factor security check (e.g., FaceID + Password) required for digital payments.

VoP (Verification of Payee): A new requirement for banks to check that the name on a bank account matches the IBAN before money is sent.

The Payments Report 2026

Get the operational playbook to automate complexity and turn transaction data into revenue.

Download the report

Download the report

More updates

Your complete guide to SEPA Instant

This SEPA Instant complete guide covers the 10-second rule, mandatory VoP security, ISO 20022 compliance, and how to scale high-value B2B payments.

Understanding payment disputes

Explore what payment disputes are, the reasons behind them, and how to effectively resolve them.

What is friendly fraud?

Friendly fraud can cause financial loss, admin headaches, and reputational risk. Explore different types of friendly fraud and how to prevent chargebacks.

How to prevent carding attacks

Learn how to prevent carding attacks. Discover key prevention strategies and how fraud prevention solutions can safeguard your business.

Your complete guide to SEPA Instant

This SEPA Instant complete guide covers the 10-second rule, mandatory VoP security, ISO 20022 compliance, and how to scale high-value B2B payments.

What is friendly fraud?

Friendly fraud can cause financial loss, admin headaches, and reputational risk. Explore different types of friendly fraud and how to prevent chargebacks.

Understanding payment disputes

Explore what payment disputes are, the reasons behind them, and how to effectively resolve them.

What is friendly fraud?

Friendly fraud can cause financial loss, admin headaches, and reputational risk. Explore different types of friendly fraud and how to prevent chargebacks.

Stay up to date

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Form fields

Table of contents

Table of contents

Table of contents

Introduction to PSD3 and PSR

Key changes introduced by PSD3 and PSR

PSD3/PSR expected timeline

How does PSD3 and PSR impact platforms and marketplaces?

Preparing for PSD3 and PSR: A compliance roadmap

Staying compliant with Mollie

FAQs

Glossary

Contact sales

MollieGrowthEverything you need to know about PSD3 and PSR
MollieGrowthEverything you need to know about PSD3 and PSR
MollieGrowthEverything you need to know about PSD3 and PSR
MollieGrowthEverything you need to know about PSD3 and PSR