The European digital payments landscape is at a watershed moment. The upcoming Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR) are set to change not just compliance, but core approaches to fraud prevention, social engineering scams, authorized push payment (APP) reimbursement, and operational transparency. For leaders in fraud, risk, and digital banking and payments, this PSD3 news summary offers actionable insight on the regulation’s anti-fraud rules—and how they will reshape authentication and fraud prevention operations.
1. APP scam reimbursement and liability shifts
A hallmark of PSD3 is mandatory reimbursement for APP scams. The liability now shifts away from the customer and increasingly to the payment service provider (PSP), bank, or—under some scenarios—even the digital platform or telco operator.
2. Stronger consumer protection expectations
PSD3 highlights dramatically stronger customer protections and rights:
3. Reporting and transparency obligations
Fraud-related transparency is becoming paramount throughout the PSD3 and PSR rulebook:
4. PSD3 and Strong Customer Authentication (SCA): The next evolution
PSD2 introduced SCA, but PSD3 shows this approach may need to become more dynamic:
Context-aware, risk-based SCA: Technology that adapts security based on risk and user behavior is becoming the gold standard, minimizing friction for genuine users while blocking fraud.
Practical example scenarios
Why static, one-size-fits-all SCA is outdated
Fraudsters outpace static controls, turning SCA into a compliance checkbox rather than true protection. PSD3, by contrast, steers institutions towards:
How Entersekt helps FIs focus on outcomes
Entersekt’s multi-layered authentication approach, helps FIs go beyond compliance, reducing fraud and boosting the customer experience: :
“PSD3 introduces new measures to tackle emerging challenges in the payments industry, such as the proliferation of new payment methods and the increasing need for strong customer authentication (SCA).”
— Gerhard Oosthuizen, CTO, Entersekt
Key fraud takeaways from recent PSD3 news
Next steps for fraud leaders
PSD3 and the PSR require more than just compliance—they require transformation. Leaders in fraud and risk should consider:
Begin your PSD3 journey and secure your institution’s future by partnering with Entersekt for truly modern fraud prevention and compliance.
A hallmark of PSD3 is mandatory reimbursement for APP scams. The liability now shifts away from the customer and increasingly to the payment service provider (PSP), bank, or—under some scenarios—even the digital platform or telco operator.
- APP scam reimbursement: Banks and PSPs must refund imposter scam victims, especially impersonation or social engineering attacks, as long as the user reports the fraud promptly.
- Platform and telco liability: Digital platforms and telcos now face shared responsibility if they ignore or fail to block fraud originating from their channels .
- Operational impact: Real-time monitoring, streamlined authentication, and robust reporting are no longer optional—PSD3 requires them for all in-scope institutions.
2. Stronger consumer protection expectations
PSD3 highlights dramatically stronger customer protections and rights:
- Automated customer refunds: Liability for social engineering (impersonation) is shifting to the provider, not the user. Banks are required to prove gross negligence if they wish to deny a claim.
- Spending limits: New PSR rules require customer-facing controls for payment limits and risk blocks.
- Human support: Providers must offer human (not chatbot-only) support for fraud-related cases.
3. Reporting and transparency obligations
Fraud-related transparency is becoming paramount throughout the PSD3 and PSR rulebook:
- Mandatory data sharing: Cross-institution and cross-domain sharing of confirmed fraud case data is legally enabled .
- Central databases: PSR proposes central repositories for APP scams to boost detection rates .
- Liability Clarity: Customers must be notified when a beneficiary name–IBAN mismatch is detected, or the PSP will be liable.
4. PSD3 and Strong Customer Authentication (SCA): The next evolution
PSD2 introduced SCA, but PSD3 shows this approach may need to become more dynamic:
Context-aware, risk-based SCA: Technology that adapts security based on risk and user behavior is becoming the gold standard, minimizing friction for genuine users while blocking fraud.
Practical example scenarios
- APP scams in real-time payments: PSD3 requires intelligent interventions—freezing or blocking suspicious transactions before they’re finalized.
- Card-not-present (CNP) fraud in e-commerce: Multi-factor, biometric, and behavioral solutions help address CNP fraud threats.
- Account takeover (ATO) via phishing/SIMswap: Device-based and behavioral authentication is crucial for early ATO detection and claim minimization.
Why static, one-size-fits-all SCA is outdated
Fraudsters outpace static controls, turning SCA into a compliance checkbox rather than true protection. PSD3, by contrast, steers institutions towards:
- Performance-driven Adaptive SCA: Compliance is no longer a binary "yes/no" to SCA; it is now judged by your Transaction Monitoring Mechanisms (TMM). By leveraging behavioral analytics and real-time risk signals, Entersekt clients are moving beyond static prompts. The result is a dynamic response that matches authentication friction to the actual fraud exposure of each transaction—drastically reducing CNP fraud while maximizing payment success rates.
- Omnichannel Security Orchestration: True protection cannot exist in a silo. Modern authentication must harmonize security across digital banking, call centers, and emerging payment rails. This unified approach ensures that a high-risk signal in one channel informs the security posture of the entire ecosystem.
- Experience-led Innovation: Banks are now measured by the inclusivity and "performance" of their user journey. Implementing seamless, context-aware authentication allows banks to meet PSR accessibility mandates while simultaneously boosting customer trust and retention through frictionless "silent" security.
How Entersekt helps FIs focus on outcomes
Entersekt’s multi-layered authentication approach, helps FIs go beyond compliance, reducing fraud and boosting the customer experience: :
- Reduce fraud with modern authentication: Combining context, device, and behavior-based authentication reduces banking and payment fraud .
- Standards and compliance: Entersekt solutions are designed to meet evolving PSD2 and PSD3 requirements for financial institutions & PSPs.
- Fast customer resolution: Real-time alerts and user-friendly authentication solutions empower the customer, meeting both regulatory and business needs.
“PSD3 introduces new measures to tackle emerging challenges in the payments industry, such as the proliferation of new payment methods and the increasing need for strong customer authentication (SCA).”
— Gerhard Oosthuizen, CTO, Entersekt
Key fraud takeaways from recent PSD3 news
- Mandatory reimbursement for many APP (push payment) fraud cases
- Greater liability for banks, PSPs, digital platforms, and telcos
- Customer control features, such as spending limits, blocking, and immediate support
- Rigorous fraud reporting, monitoring, and cross-institution cooperation
- Modern SCA is now adaptive, risk-based, and context-aware
- Data and threat sharing across the entire industry ecosystem
Next steps for fraud leaders
PSD3 and the PSR require more than just compliance—they require transformation. Leaders in fraud and risk should consider:
- Modernizing authentication and fraud monitoring to meet PSD3 benchmarks.
- Deploying risk-based, multi-layered authentication to maximize fraud prevention and minimize friction.
- Collaborating across channels and the industry (banks, PSPs, fintechs, telcos, regulators) for broader, more effective threat detection.
Begin your PSD3 journey and secure your institution’s future by partnering with Entersekt for truly modern fraud prevention and compliance.
