The Second Payment Services Directive, or PSD2, introduced major changes to how payments work for platforms and marketplaces in Europe. It also changed how third-party payment providers can get permissioned access to bank accounts and handle payments, and it introduced Strong Customer Authentication (SCA) to make payments more secure.
The European Commission has now revised the current framework and issued proposals for a Payment Services Directive 3 and Payment Services Regulation. The new payment rules seek to ensure greater harmonization of the rules across the EU, further develop a level playing field for payment providers, and introduce improvements in customer and fraud protection.
While negotiations are ongoing between the European Parliament and EU Member States, and while we don’t expect the final rules to come into effect before 2026, there are some important changes that platforms and marketplaces (in particular) should be aware of and can start preparing for today. This guide provides an overview of these changes to help you successfully prepare for Europe’s new payment rules.
The European Banking Authority (EBA) will be mandated by the European Commission to issue supplementary Regulatory Technical Standards (RTS) and lay out detailed rules on important elements of the PSD3/PSR—such as Strong Customer Authentication—to help firms implement them.
Overview: What is changing in PSD3?
Directly applicable rules across the EU
|
The new Payment Services Regulation includes most of the already existing rules under PSD2, including on fraud and liability, transparency, open banking, and SCA. However, these rules will now be directly applicable across Member States. This reduces the scope allowed for EU Member States to interpret the rules differently, and it means that payment rules will be applied more uniformly across the EU—making their implementation easier for businesses. |
---|---|
Payment institutions will be able to issue e-money
|
PSD3 merges the legal frameworks that apply to e-money institutions and payment institutions. In the future, e-money institutions will be licensed as payment institutions under PSD3. Payment institutions will be able to issue e-money and the E-Money Directive (EMD2) will be repealed. |
Further tightening of the commercial agent exemption
|
The new rules further tighten the requirements for platforms and marketplaces that can use the commercial agent exemption, limiting the circumstances in which they can draw on the exemption for payments. |
Measures to strengthen open banking payments
|
New benchmarks will be introduced to improve open banking APIs’ performance and to remove existing obstacles third-party providers have to accessing customer bank accounts. This is expected to improve the functioning and adoption of open banking. |
Greater liability for fraud
|
Payment service providers (PSPs) will face liability for fraud in a greater range of cases and be obliged to take additional measures to combat fraud (e.g., educating customers on fraud risks or sharing relevant information with other financial institutions). |
New rules for SCA and transaction monitoring
|
The rules around the application of SCA will be clarified (e.g., in the case of merchant-initiated and Mail Order Telephone Order transactions). New Regulatory Technical Standards from the European Banking Authority will also likely see changes to transaction monitoring requirements and SCA exemptions. |
How will PSD3 affect platforms and marketplaces?
Payments for platforms and marketplaces under the current PSD2 rules
The PSD framework regulates payments for platforms and marketplaces. For example, when a platform enters into possession or control of funds owed by a buyer and settles them to the seller, the platform would be considered to be providing regulated payment services (such as operating a payment account, executing payment transactions, or completing money remittance). There is an important exception to this rule—the commercial agent exemption—which in the past, platforms had often tried to rely upon in order to avoid obtaining a license.
PSD2 tightened the commercial agent exemption to apply exclusively in cases where a platform or marketplace only acts on behalf of either the payer or the payee, but not both. If acting for both, a platform is only able to avoid a licensing requirement if it does not possess or control funds (i.e., it relies on a licensed payment service provider). This was intended to mitigate the credit risk of platform and marketplace businesses by limiting the handling of acquired funds to a regulated entity that is required to meet local safeguarding requirements.
The commercial agent exemption allows parties to provide payment services without a license, in situations where they are acting as a commercial agent on behalf of a payer or payee.
Tighter rules under PSD3 for platforms and marketplaces
PSD3 proposes to further tighten the requirements for platforms and marketplaces using the commercial agent exemption. As a result, the commercial agent exemption will likely only be available to platforms and marketplaces in very limited circumstances. If you are a platform or business currently relying on the commercial agent exemption, you should carefully consider the impact of PSD3.
The new rules introduce further conditions to be met for the commercial exemption to apply: the agent must be authorized by the payer or payee to negotiate/conclude transactions on their behalf and give the payer or payee a real margin to negotiate with the agent. The preamble to PSD3 reiterates that ecommerce platforms acting as agents on behalf of both individual buyers and sellers are not commercial agents and therefore cannot engage in payment services activities without a license.
PSD3 also mandates the European Banking Authority to issue specific guidelines providing further clarity and convergence among EU Member States, in addition to a list of use cases covered by the exemption.
How Stripe helps platforms and marketplaces meet the new requirements
Stripe has always aimed to create products that minimize the regulatory burden on our users. We removed the burden of PSD2 on platforms by creating Connect, which allows platforms to use a technical solution to abstract themselves from the regulatory requirements. Connect offers the same benefit to platforms and marketplaces under PSD3, by providing them with a payment solution that doesn’t require them to obtain a payment license.
With Stripe providing the regulated service, platforms are free to focus on what they do best: building great marketplaces for their users. More than 4,000 platforms with sellers across Europe have already chosen to rely on Connect, rather than having to obtain their own payment license or provide evidence that they fall under exemptions.
Platform payments with Connect
If you have questions regarding Stripe Connect, we’d love to hear from you.
What are the new rules for SCA?
The role of SCA in reducing fraud
Strong Customer Authentication was introduced in Europe through PSD2 to reduce fraud and make online and contactless payments more secure. SCA requires authentication through two-factor authentication. For further information about SCA, see our guide on Strong Customer Authentication.
The European Commission’s evaluation of PSD2 concluded that SCA has been successful in reducing fraud. PSD3/PSR aims to build on and improve SCA by clarifying key definitions, further specifying exemptions for low-risk transactions and continuing to balance security with the development of user-friendly, innovative, and accessible means of payment.
In our view, the new rules could further improve the experience of customers at the point of online checkout. They give more clarity to financial institutions, card networks, and payment providers to apply SCA exemptions for transactions with lower risk, or for recurring transactions. Longer term, the new rules may also introduce the possibility for further exemptions depending on the risk of a transaction and in line with improvements in technology. Businesses should continue to optimize their SCA engine under the new rules to get the best authentication results.
MIT
|
For merchant-initiated transactions (MITs), SCA only has to be applied at the setup of the mandate, but not for subsequent MITs. An eight-week unconditional refund right—similar to SEPA Direct Debits—is introduced for MITs. |
---|---|
MOTO
|
For Mail Order Telephone Order (MOTO) transactions, only the initiation of a payment transaction needs to be nondigital in order for that transaction to be exempt from SCA. |
Dynamic linking
|
Elements of SCA that dynamically link the transaction to a specific amount and payee should be used for electronic payment transactions in which a payment is placed through a payer’s device using proximity technology (e.g., near-field communication, or NFC) and the application of SCA requires the use of the internet on the payer’s device. |
Account information services
|
For PSPs providing account information services under open banking, SCA is only required on the occasion of the first data access. However, SCA is required when customers access aggregated account data on the account information service provider’s domain, at least every 180 days. |
Tokenization
|
Tokenization requires the application of SCA when the cardholder is actively involved in the tokenization process (e.g., when enrolling or replacing a card in a wallet or card-on-file solution). |
Transaction monitoring
|
The European Banking Authority will issue Regulatory Technical Standards for payment service providers’ use of transaction monitoring, including through environmental and behavioral characteristics (e.g., customer location or spending habits). This underpins the use of SCA exemptions for transactions that pose a low level of risk (i.e., Transaction Risk Analysis exemptions). |
---|---|
SCA exemptions
|
The EBA is also mandated to develop further Regulatory Technical Standards on SCA requirements and exemptions, taking into account a risk-based approach and the use of technology. |
Two-factor authentication
|
The new rules suggest that the factors used for two-factor authentication under SCA do not need to belong to different categories, as long as their independence is fully preserved. This could allow customers to authenticate using two passwords, or a fingerprint and face ID. |
Accessibility
|
PSPs have to offer different ways of performing SCA, such as through SMS, that do not depend on the possession of a smart device. |
Liability for TSPs
|
Liability is attributed to technical service providers (TSPs) and operators of payment schemes in case of failure to support the application of SCA. This is to ensure increased cooperation among all players involved in performing SCA. |
---|---|
Outsourcing
|
Payment service providers that rely on TSPs for the provision and verification of SCA elements have to enter into outsourcing agreements with these TSPs. The EBA will set out requirements for these outsourcing agreements. |
Further measures to prevent fraud and protect consumers
In addition to the updated SCA requirements, the new rules introduce further measures to strengthen consumer protection and encourage payment service providers to take additional measures to prevent fraud. These include requirements for PSPs to educate customers on fraud trends, conduct regular internal training programs, cooperate with electronic communications service providers, and share information with other financial institutions. They also oblige PSPs to refund payment services users for fraudulent transactions in the event of impersonation fraud.
How Stripe helps you meet SCA requirements
The introduction of SCA in PSD2 deeply affected internet commerce in Europe. To ensure a smooth transition to the new rules, Stripe worked with impacted businesses and partners to implement the new requirements and manage the impact on conversion rates. This included supporting authentication methods such as 3D Secure 2 and developing new methods of two-factor authentication to ensure a smooth authentication experience for businesses and their customers.
Our products, including Stripe Checkout and Billing, are built on our Payments API that uses Stripe’s SCA logic to trigger 3D Secure when necessary. Our SCA solution includes successful handling of exemptions as a key component for building a first-class payment experience that minimizes friction while providing best-in-class security. We optimize the application of SCA for different regulatory, bank, and card network rules and apply relevant exemptions—such as for low-risk payments or secure corporate payments—so as to only trigger 3D Secure and/or apply two-factor authentication when required.
SCA authentication flow
Stripe’s authentication engine also leverages machine learning models that detect risk in real time and enable businesses to provide a best-in-class experience to their customers while ensuring SCA compliance.
We will continue to monitor upcoming changes to SCA. Our updated SCA solution can assist you with the application of SCA and help you increase authentication success and conversion rates—all while staying compliant with SCA rules and minimizing fraud. Learn more about how to boost your revenue with higher authorization rates using Stripe.
What’s next?
PSD3 and PSR are a significant update to Europe’s payment rules. In preparation for the revised rules, platforms and marketplaces will have to review the use of exemptions such as the commercial exemption, if applicable, or continue to rely on regulated payment providers to offer payment solutions.
In light of PSD3/PSR and any upcoming EBA guidance, businesses will also have to continuously review requirements for SCA. Payment providers that have built SCA updates into their authentication engine can help with optimizing the number of payments that require SCA and maximizing the success rate of two-factor authentication while minimizing fraud.
During the course of 2024 and 2025, the European Commission, the European Parliament, and EU Member States will finalize the new rules. PSD3 will subsequently have to be transposed into national law by the EU Member States. While there are no clear timelines on the negotiations and implementation period at this stage, it is unlikely that the rules will come into effect before 2026.
Stripe is engaging in discussions with relevant policymakers to share our insights into how Europe’s future payment rules can work best for businesses and their customers. We will be updating this page as further information becomes available.
If you would like to learn more about how Stripe can help you prepare for the revised rules, or if you would like to share your thoughts with us, please contact your Stripe team or email our PSD3 team at psd3@stripe.com.
For responses to commonly asked user questions regarding the regulatory status of Stripe Connect in Europe, please see this FAQ page.