PSD3 and PSR: what merchants and marketplaces need to know

European payment rules are changing, and if you accept payments online, run a marketplace, or use a payment service provider, this affects you. The Third Payment Services Directive (PSD3) and its companion regulation, the Payment Services Regulation (PSR), represent the most significant overhaul of EU payments law since PSD2 came into force in 2018.

After years in the making, a political agreement was reached in November 2025. Formal adoption is now underway, with PSR expected to enter into force in mid-2026. The first obligations—covering SCA, fraud detection, and open banking—take effect from late 2027. 

That window is shorter than it sounds: platforms restructuring payment models, PSPs rebuilding fraud infrastructure, and businesses reviewing contracts all need lead time. 

In this article, you’ll find answers to the following questions:  

• What are PSD3 and PSR?
• What's changing for merchants and marketplaces?
• When does PSD3/PSR take effect?
• What should merchants do now?

What are PSD3 and PSR?

PSD3 and PSR are two pieces of EU legislation that work together to replace and update PSD2. While they're often mentioned synonymously, they do different jobs. 

PSD3 

The Third Payment Services Directive updates the rules around licensing and supervision for payment service providers. Like PSD2, it's a directive, which means EU member states must transpose it into their national laws. Member states have 18 months to do so once the directive is formally adopted.

PSR 

The Payment Services Regulation is the newer and arguably more important piece of the package. As a regulation—not a directive—it applies directly across all 27 EU member states the moment it enters into force, with no national transposition needed. This means the same rules, with the same wording, apply simultaneously everywhere in the EU.

That distinction is why the PSR exists. One of PSD2's biggest failures was that each member state interpreted the rules slightly differently, creating regulatory fragmentation and an uneven playing field for businesses. The PSR fixes that by removing the interpretation layer entirely.

Together, PSD3 and PSR address three structural weaknesses that PSD2 left unresolved:

• its inability to keep pace with modern payment fraud,
• the underperformance of open banking due to poor API quality,
• and the inconsistency in how rules were applied across borders.

What's changing for merchants and marketplaces?

Six areas are changing under PSD3 and PSR. Here's what each means in practice.

1. Fraud detection and liability

Payment service providers are now financially liable when their fraud detection systems fail. This includes a new category: if a customer is defrauded by someone impersonating the PSP itself, the provider bears responsibility for the loss. For merchants and platforms, this means the quality of your PSP's fraud infrastructure directly affects your exposure—not just theirs.

Providers must also actively share fraud intelligence with other financial institutions and maintain internal fraud training programs. The era of treating fraud as an acceptable operational cost is ending.

2. Strong Customer Authentication

SCA was introduced under PSD2, but PSR substantially expands its scope. Where PSD2 applied SCA primarily to card payments and online transactions, PSR extends it to logins, changes to beneficiary lists, mandate setup, and device recovery. When a user activates a payment app on a new device while an account is already active, PSR requires two-step verification, a notification to the customer’s registered phone or email, and a 4-hour waiting period—giving consumers time to act if credentials have been stolen.

SCA exemptions for low-risk transactions continue, but the bar is higher. Behavioral biometrics like typing patterns, device usage, and navigation signals are now formally recognized as valid authentication factors, opening the door to frictionless authentication for low-risk sessions without sacrificing security.

3. IBAN and name verification

Before processing any transfer, the payer's bank must automatically verify that the recipient's name matches the account number. A mismatch triggers an alert and lets the payer cancel. This closes a common fraud vector where attackers swap out beneficiary account details mid-process. For businesses that send or receive bank transfers, this happens at the infrastructure level. There’s no action required on your end, but it’s worth understanding.

4. Open banking

Banks will be required to provide standardized, high-performance APIs to third-party providers on the same terms as their own internal systems. Under PSD2, banks technically complied while building APIs that were slow, unreliable, or quietly obstructed in practice. PSR explicitly prohibits this. The result is more reliable bank payment integrations and fewer obstacles for providers accessing account data on your customers' behalf.

5. The commercial agent exemption

This is the change most relevant to platforms and marketplace operators. Under PSD2, some businesses handled payment flows without a payment license by arguing they acted purely as agents for buyers or sellers. PSD3 significantly narrows this exemption. E-commerce platforms that act as agents for both buyers and sellers are explicitly excluded.
If your marketplace handles funds or splits payments between multiple parties under the commercial agent exemption, you will likely need to restructure or partner with a licensed payment service provider to handle that flow on your behalf.

MONEI Connect is built for this. It lets platforms and marketplaces accept payments, split funds, and manage payouts without needing their own license.

6. Small merchant protections

Merchants with fewer than 10 employees and annual turnover under €2 million are likely to gain the same legal protections as individual consumers under PSD3. Payment service providers will be required to extend the transparency and information obligations that were previously reserved for consumers to this segment. If you fall into this category, expect your contract terms with payment providers to be updated before the rules take effect.

When does PSD3/PSR take effect?

The legislative process has moved faster than earlier timelines suggested. As of 2026, the framework has passed political agreement and is in the final stages of formal adoption.

The key distinction to understand is that PSR is a regulation, so its core operational rules—SCA, fraud liability, IBAN name verification, and open banking APIs—apply directly across the EU once it is in force, without waiting for national legislation. PSD3, as a directive, requires each member state to transpose it into national law, extending the full compliance window into 2027 and 2028.

In practice, the changes most relevant to merchants and platforms arrive with the first PSR obligations in the second half of 2027—well before PSD3 is fully implemented everywhere.

What should merchants do now?

Most of the compliance work falls on your payment provider, not on you. If you're processing through MONEI, SCA authentication, fraud detection, IBAN name verification, and open banking API standards are handled at the infrastructure level. You don't need to track regulatory updates or make changes to your integration as PSR obligations come into force.

But there are three things worth reviewing on your end: 

1. If you're a small merchant (fewer than 10 employees, under €2M annual turnover), read your current payment provider contract before the rules take effect. You're likely gaining consumer-equivalent protections for transparency, fees, and dispute resolution, and it's worth knowing what to expect in your updated terms.

2. If you accept digital wallets or saved payment methods, check that your checkout flow handles the new device activation requirements. PSR mandates a 4-hour delay and two-step verification when a payment app is activated on a new device. A compliant PSP manages this automatically. 
3. If you operate a marketplace, review whether your payment model relies on the commercial agent exemption. If it does, start that conversation now—PSD3's national transposition deadline runs through 2028, but restructuring a payment model takes time.

How MONEI keeps your business compliant

MONEI is an EU-licensed payment service provider regulated by the Bank of Spain. When PSR obligations take effect, the compliance work happens on our side—SCA authentication, fraud detection, IBAN name verification, and open banking API standards are built into the infrastructure your payments already run on. You don't need to monitor the regulatory calendar or update your integration.

For platforms and marketplaces navigating the narrowed commercial agent exemption, MONEI Connect provides licensed payment infrastructure—including KYC, payouts, and fund splitting—without requiring your platform to hold its own payment license.

MONEI is also PCI DSS Level 1-certified, the highest standard for payment security, so sensitive card data never touches your systems.
If you're not yet processing payments through MONEI’s payment gateway, get in touch to talk through your setup before the first PSR deadline arrives.

Alexis Damen

Alexis Damen is a former Shopify merchant turned content marketer. Here, she breaks down complex topics about payments, e-commerce, and retail to help you succeed (with MONEI as your payments partner, of course).