Europe’s payment landscape is undergoing a sweeping transformation with the introduction of the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). While previous regulations like PSD2 turbocharged the adoption of Strong Customer Authentication (SCA) and open banking, the new legal framework raises the bar on fraud liability, consumer protection, and seamless payment experiences especially for card-not-present (CNP) transactions
For issuers, the evolving expectations around fraud and dispute handling, data and risk-sharing, and the evolution of EMV 3-D Secure mean both new compliance obligations and fresh opportunities to drive down CNP fraud, reduce friction, and boost approval rates.
Key PSD3 and PSR issues impacting issuers and PSPs
1. Fraud and dispute handling: Changing the liability model
What’s changing:
- Broader fraud liability: Issuers and payment service providers (PSPs) face expanded liability for unauthorized transactions under PSD3. If institutions fail to implement robust SCA or fraud prevention, they will be responsible for customer losses, in particular, from impersonation fraud.
- Confirmation of payee: Mandatory IBAN/name-checking services are set to become standard, making it much harder for fraudsters to manipulate consumers.
- Faster dispute resolution: PSD3 and PSR mandate tighter timelines for refunding unauthorized transactions. Issuers must refund within 14 business days unless they can prove payer fraud occured.
Issuer takeaway:
Failure to modernize authentication and fraud detection exposes issuers not just to higher losses, but also significant regulatory and reputational risk.
2. Consumer protection under PSD3 and PSR
What’s changing:
- Stronger consumer reimbursement rights: Under the new rules, issuers are expected to promptly refund victims of fraud unless clear evidence of payer negligence is established.
- Delegated SCA and shared liability: If another party such as an acquirer or digital wallet provider, performs authentication, they carry the liability for fraud due to failed authentication. This clarifies responsibilities for all players in a transaction.
- Accurate data-sharing: PSD3 and PSR encourage fraud and dispute information to flow transparently between market participants to speed up investigations and minimize consumer harm.
Issuer takeaway:
Timely, customer-focused dispute handling isn’t just a compliance necessity, it’s also the foundation for customer trust and retention.
The evolution of EMV 3-D Secure under PSD3: Toward frictionless and user-centric authentication
Recent advances:
- Risk-based and frictionless flows: EMV 3DS v2.3 and onward, in combination with PSD3, push the industry toward more intelligent, contextual authentication that minimizes step-ups for legitimate customers while reserving challenges for risky or suspicious transactions.
- Enhanced user experience: With more transaction and behavioral data available for decisioning through EMVCo-certified platforms, such as Entersekt’s, issuers can approve legitimate payments with minimal disruption.
- Customer choice and accessibility: PSD3 explicitly mandates accessible, alternative authentication methods (in addition to SMS or app-based OTPs), ensuring all user segments, including the disabled and elderly, can authenticate securely and easily.
Issuer takeaway:
Modern risk-based 3DS orchestration dramatically reduces false positives, keeps approval rates high, and positions issuers to exceed both regulatory and scheme demands.
Modern authentication and orchestration: Future-Proofing against regulatory shifts
- Customizable deployment: Modern 3DS ACS solutions enable issuers to customize the rules and risk settings of their ACS.
- Leverage analytics and AI: Platforms like Entersekt’s EMV 3DS ACS leverage adaptive, context-aware authentication and support seamless integration with in-house and third-party risk engines.
- Improve efficiency: Moving to advanced risk-based ACS platforms not only reduces fraud but also significantly reduces customer support and dispute management overheads.
5 Questions every issuer should ask about 3DS in a PSD3 world
- Is my 3DS platform ready for adaptive, risk-based authentication flows as mandated by PSD3 and PSR?
- Can we easily incorporate multi-channel, user-friendly authentication options—including accessibility features?
- Are our fraud and dispute handling workflows fast, transparent, and fully compliant with the new liability allocation?
- Can we securely share fraud and risk data in real time?
- How rapidly can we roll out regulatory or scheme-driven changes with our current orchestrator or ACS provider?
To ensure your institution is PSD3 ready, get in touch with one of our experts.