European Payment Regulations (PSD2/PSD3): Impact on US Merchants

If your US-based business accepts payments from European customers, you are already subject to European payment regulations. You may not have realized it. The Payment Services Directive (PSD2) and its successor PSD3, scheduled for implementation in 2027, have extraterritorial reach that affects every merchant processing card payments for European Economic Area customers, regardless of where the merchant is domiciled. For high-risk US merchants, the compliance implications are significant, and the regulatory gap between US and European requirements creates both operational burdens and opportunities.

PSD2 came into full effect across the European Union and European Economic Area in 2021, replacing the original Payment Services Directive from 2007. Its primary goals were to increase payment security, foster innovation through open banking, and create a harmonized payment services market across Europe. The most visible impact for merchants has been Strong Customer Authentication (SCA), which requires multi-factor authentication for virtually all electronic payments within Europe. Every online transaction originating from a European customer must now be authenticated using at least two of three factors: something the customer knows (a password), something the customer has (a phone or token), or something the customer is (biometric data like a fingerprint or face scan).

For the typical US merchant with European customers, SCA directly affects checkout completion rates. When a European customer attempts to make a purchase on a US-based website, their issuing bank may require SCA authentication. If the merchant's payment gateway does not support 3D Secure 2.0, which is the technical standard for implementing SCA, the transaction may be declined. The result is a significantly higher cart abandonment rate for European customers. Merchants who have not upgraded their payment infrastructure to support 3DS 2.0 are effectively turning away European business.

How PSD2 Creates Compliance Burdens for US Merchants

The compliance burden of PSD2 extends beyond SCA. The directive introduced new requirements for transaction monitoring, reporting, and customer information that apply to any payment service provider processing European transactions. While the directive technically regulates payment service providers rather than merchants directly, the practical effect is that merchants must ensure their payment processors are PSD2-compliant. A merchant's acquiring bank or payment gateway must demonstrate SCA compliance, maintain real-time transaction monitoring systems, and provide specific information to customers before and after transactions.

For high-risk US merchants, the compliance challenge is compounded by the fact that many high-risk payment processors operate in regulatory jurisdictions that are not directly governed by European law. A US-based high-risk processor using offshore acquiring banks may not have invested in PSD2 compliance infrastructure. When European customers attempt to transact with these merchants, the lack of SCA support results in declined transactions, frustrated customers, and lost revenue. The merchant is caught between a processor that cannot process European payments and customers who expect to pay using their preferred methods.

The data protection dimension of PSD2 adds another layer. The directive requires merchants and payment service providers to share transaction data with authorized third-party providers through open banking APIs. While this requirement primarily affects banks and payment institutions, merchants must be aware that European customers may use third-party payment initiation services to make purchases. A merchant that blocks or fails to support these authorized third-party payment methods is violating PSD2 requirements and may face disputes or regulatory complaints.

PSD3: What Changes for US Merchants

PSD3, which the European Commission proposed in 2023 and is expected to take effect in 2027, builds on PSD2 while addressing several gaps and unintended consequences. For US merchants, the most significant change is the extension of SCA requirements to additional transaction types and the clarification of liability rules. Under PSD3, the liability for unauthorized transactions shifts more clearly toward the payment service provider when SCA was not applied, which means merchants have stronger grounds to dispute chargebacks resulting from transactions that were authenticated but still disputed by the cardholder.

PSD3 also introduces the Payment Services Regulation (PSR), which directly harmonizes rules across member states rather than relying on individual national implementation. This direct regulation approach eliminates the regulatory fragmentation that has plagued PSD2 implementation, where different European countries interpreted the directive differently. For US merchants processing European payments, a harmonized regulatory framework means they can implement a single compliance approach rather than needing to adapt to each country's specific requirements.

The new regulatory framework also strengthens open banking provisions, requiring banks to provide dedicated interfaces for third-party providers and mandating compensation for outages. For merchants, this means more reliable third-party payment initiation services and potentially lower transaction costs as competition among payment providers increases. The enhanced API standards may also enable merchants to offer payment methods that were previously difficult to integrate, such as real-time bank transfers from European customers.

Practical Compliance Steps for US Merchants

The first and most important step for any US merchant accepting European payments is to verify that their payment gateway supports 3D Secure 2.0 authentication. 3DS 2.0 is not optional for European transactions; it is the technical foundation upon which SCA compliance is built. Merchants should confirm with their processor that 3DS 2.0 is enabled for European transactions specifically, as some processors apply it selectively. The merchant should also test the authentication flow on their checkout page to ensure that European customers are prompted for authentication when required but not unnecessarily challenged for low-risk transactions.

Transaction routing is the second critical consideration. PSD2 applies specifically to transactions where both the customer's bank and the merchant's acquirer are located within the European Economic Area. However, the practical application is broader. European issuing banks apply SCA requirements to all transactions initiated by their cardholders, regardless of where the merchant is located. A US merchant processing a transaction from a French customer using a French-issued card will trigger SCA requirements at the issuing bank level, even if the merchant's US-based acquirer does not require it. The merchant needs to ensure their payment gateway can handle SCA challenges initiated by foreign issuing banks.

For high-risk US merchants specifically, the compliance strategy should include selecting a payment processor with explicit PSD2 compliance capabilities. Many high-risk processors specialize in domestic US processing and do not support the regulatory infrastructure needed for European transactions. Merchants who anticipate accepting European payments should prioritize processors that offer 3DS 2.0 support, maintain European acquiring relationships, and understand SCA exemption rules. Exemptions exist for low-value transactions under thirty euros, recurring payments of the same amount, and transactions deemed low-risk by the issuer's fraud analysis, and a knowledgeable processor can help merchants maximize these exemptions to reduce checkout friction.

The Competitive Advantage of PSD2 Compliance

While PSD2 and PSD3 compliance is often viewed as a regulatory burden, there is a competitive angle that high-risk US merchants should recognize. Most US-based high-risk merchants do not support European payment methods or SCA-compliant checkout flows. This creates a significant gap in the market. Merchants who invest in PSD2-compliant payment infrastructure can capture European customers that their competitors cannot serve, effectively operating in a less crowded competitive space.

European consumers have been conditioned by PSD2's SCA requirements to expect a multi-factor authentication step during online checkout. A US merchant that does not present SCA challenges to European customers during checkout may actually appear less trustworthy to those customers. The authentication step, when presented clearly and with the right user experience, reassures European customers that their payment is protected. Merchants who frame SCA compliance as a trust signal rather than a friction point can convert the regulatory requirement into a marketing advantage.

Furthermore, PSD3's enhanced open banking provisions are creating new payment methods that bypass traditional card networks entirely. Account-to-account payments, where customers pay directly from their bank accounts using authentication provided by their bank, offer significantly lower transaction costs than credit card processing. For high-risk merchants who face elevated discount rates due to their industry classification, open banking payments represent an opportunity to reduce processing costs while maintaining secure, regulated payment acceptance. The merchants who prepare for this shift now will have a structural cost advantage over competitors who remain dependent on card network processing.

The regulatory gap between US and European payment frameworks is widening. While the United States relies primarily on market-driven security standards and voluntary adoption of authentication technologies, Europe has created a comprehensive regulatory framework that mandates security, transparency, and competition. US merchants who choose to operate within the European regulatory framework gain access to a market of over four hundred fifty million consumers who are accustomed to secure, authenticated digital payments. For high-risk merchants who can navigate the compliance requirements, the European market represents one of the most significant growth opportunities in payment processing today.