What Is PSD3?
The Payment Services Directive 3 (PSD3) is the latest evolution of the European Union’s framework for regulating payment services and protecting consumers. Building on PSD2, PSD3 introduces new rules to strengthen security, improve transparency, and expand consumer rights in an increasingly digital financial ecosystem.
The directive affects banks, payment institutions, e-money providers, and third-party service providers — but its reach extends to technology vendors and partners supporting these services.
Key objectives of PSD3:
- Close security gaps left by PSD2
- Harmonize enforcement across the EU
- Strengthen Strong Customer Authentication (SCA) rules
- Address emerging payment methods (instant payments, mobile wallets)
- Improve cross-border consumer protections
How PSD3 Differs from PSD2
While PSD2 introduced SCA and enabled open banking APIs, PSD3 refines and tightens those requirements.
| Area | PSD2 | PSD3 |
|---|---|---|
| Strong Customer Authentication | Mandatory, but with exemptions | Exemptions narrowed, stricter enforcement |
| Open Banking | APIs required for banks | API security and performance standards defined |
| Consumer Protection | Basic rights for refunds and dispute resolution | Expanded refund rights, faster dispute handling |
| Enforcement | Varying national interpretations | Harmonized EU-wide supervisory powers |
| Scope | Payment services | Payment + certain digital asset and fintech services |
Who Needs to Comply with PSD3?
Compliance is required for all entities providing payment services in the EU, including:
- Banks and credit institutions
- Payment service providers (PSPs)
- Electronic money institutions
- Third-party providers (TPPs) offering account information or payment initiation services
- ICT service providers supporting these organizations
If your technology stack processes, transmits, or stores payment or authentication data, PSD3 likely applies.
PSD3 Compliance Timeline
- Directive published: Mid-2025
- Transposition into national law: Expected by mid-2026
- Enforcement start date: Likely 2027 (subject to final adoption and national implementation)
Organizations should begin gap assessments now, as upgrading authentication systems and compliance processes can take 12–24 months.
Who Is Responsible for PSD3 Compliance?
The board of directors and senior management bear ultimate responsibility for PSD3 compliance.
They must:
- Approve security and compliance policies
- Allocate resources for implementation
- Monitor ongoing compliance and risk management
- Ensure SCA, transaction monitoring, and fraud prevention are in place
Non-compliance risks include financial penalties, loss of license, and reputational damage.
Key PSD3 Authentication Requirements
PSD3 strengthens SCA and transaction monitoring requirements from PSD2.
1. Strong Customer Authentication (SCA)
Must use at least two independent factors from:
- Something the user knows (PIN, password)
- Something the user has (device, hardware key)
- Something the user is (biometrics)
2. Dynamic Linking
Each transaction must be uniquely tied to the amount and payee, and the user must be aware of this link at the time of authorization.
3. Secure Communication & API Standards
Banks and PSPs must implement stricter controls for open banking APIs, ensuring resilience against MITM and injection attacks.
PSD3 Challenges for Organizations
| Challenge | Why It Matters | Impact |
|---|---|---|
| Legacy Systems | Older apps may not support modern MFA | Expensive rewrites or workarounds |
| Dynamic Linking | Requires user-visible transaction details | Authenticator support may be limited |
| Customer Experience | Stronger security can slow user flows | Higher abandonment if poorly implemented |
| Vendor Risk | PSD3 extends responsibility to third-party providers | Stricter contracts and audits |
How Secfense Helps with PSD3 Compliance
Secfense offers no-code, policy-driven authentication and access control that lets organizations meet PSD3 requirements without rewriting applications.
Relevant Secfense Solutions:
- Phishing-Resistant MFA – Enforce strong authentication across all channels, eliminating passwords as an attack vector.
- Passwordless for Workforce (IAM) – Replace passwords with passkeys for employees accessing sensitive systems.
- Passwordless for Customers (CIAM) – Deliver frictionless, secure login experiences for customers and partners.
- Legacy App Protection – Inject SCA into legacy payment systems without code changes.
- Privileged Access & Microauthorizations – Enforce per-transaction approval in high-risk payment flows.
- Regulatory Compliance (DORA, NIS2, PSD2) – Maintain compliance across overlapping EU security frameworks.
Case Example: Legacy Payment App Modernization
A major EU PSP used Secfense’s User Access Security Broker to add FIDO2 passkey authentication and dynamic linking to a decade-old payment portal — with zero application code changes. The rollout covered 100% of user accounts in under 60 days.
Recommended Next Steps
PSD3 readiness requires strategic planning across technology, policy, and training.
- Run a PSD3 Gap Assessment – Identify authentication, API, and monitoring gaps.
- Prioritize Legacy Systems – Evaluate cost and complexity of upgrades.
- Adopt Phishing-Resistant Authentication – Ensure SCA is in place for all channels.
- Test Dynamic Linking – Confirm your authentication method can display transaction details.
- Engage Vendors Early – Audit third-party providers for compliance readiness.
Contact Secfense
What to Expect
- A short conversation to understand your requirements and security goals.
- Discussion of commercial terms for relevant Secfense solutions such as Passwordless IAM, CIAM, Legacy App Protection, or Privileged Access controls.
- Agreement on next steps – proof of concept, contract details, or rollout plan.
Who It’s For
- Prospects ready to scope a project and discuss budgets.
- Existing customers expanding Secfense coverage to more systems.
- Organizations in the decision/purchase stage after reviewing our solution areas.
📩 Schedule a Call with Secfense to accelerate your PSD3 compliance plan.
Antoni Sikora 