PSD3 Regulatory Impact on Merchants 2026: SCA Changes, Open Banking & Payment Services Regulation

The Payment Services Directive 3 (PSD3) entered into force across the European Union in early 2026, representing the most significant overhaul of European payment regulation since PSD2 was implemented in 2018. Alongside its companion legislation — the Payment Services Regulation (PSR) — PSD3 introduces fundamental changes to strong customer authentication (SCA), open banking API standards, merchant liability frameworks, cross-border payment transparency, and IBAN-name verification requirements that directly affect any merchant accepting payments from European customers.

For merchants based outside the EU — particularly those in the United States, United Kingdom, and Asia-Pacific markets — PSD3's impact is not limited to European-based businesses. Any merchant that processes payments for European cardholders or maintains a European payment operation must comply with PSD3 requirements, and enforcement mechanisms have been strengthened to apply to non-EU payment service providers that serve European customers. The European Banking Authority (EBA) estimates that over 200,000 non-EU businesses will need to update their payment compliance frameworks to align with PSD3 requirements.

This article provides a comprehensive analysis of PSD3's regulatory impact on merchants, covering the key differences from PSD2, the evolution of SCA requirements, open banking API standardization, merchant liability shifts under the new framework, cross-border payment transparency rules, IBAN-name verification mandates, and the Payment Services Regulation's role as PSD3's companion legislation.

PSD3 vs. PSD2: The Key Differences

PSD3 does not replace PSD2 from scratch — it amends and extends PSD2's framework while the Payment Services Regulation (PSR) replaces certain PSD2 articles with directly applicable EU-wide rules. The structural shift from a directive (which requires national transposition) to a regulation (which applies uniformly across all member states) is itself one of the most important changes, as it eliminates the fragmentation that characterized PSD2 implementation across EU jurisdictions.

The major structural differences between PSD2 and PSD3/PSR include:

• Regulation vs. directive: PSR provisions apply directly without national implementation, creating a single rulebook for the EU payments market. PSD3 retains directive status for certain provisions (licensing, supervision, passporting) but PSR covers the operational rules that most directly affect merchants.
• Expanded scope: PSD3 extends coverage to new payment services including digital wallet providers, BNPL services, and payment initiation service providers (PISPs) that were not fully covered under PSD2. Crypto-asset payment services that involve fiat currency on-ramps and off-ramps are also brought within the regulatory perimeter.
• Strengthened enforcement: National competent authorities receive expanded enforcement powers, including the ability to impose fines of up to 4 percent of annual turnover for serious PSD3 violations. Non-EU payment service providers serving EU customers are subject to equivalent enforcement through their EU-based agents or branches.
• Enhanced consumer protection: Liability provisions have been rebalanced to place greater responsibility on payment service providers, including merchants' acquirers, for unauthorized transactions and failed authentication scenarios.

For merchants, the PSD2-to-PSD3 transition means re-evaluating their payment integration setup, authentication flows, liability allocation, and compliance documentation. Merchants who built their PSD2 compliance around national implementations that varied by country now benefit from a more uniform EU-wide framework, but they face new requirements that did not exist under PSD2, particularly around open banking integration and IBAN-name verification.

Strong Customer Authentication: What Changed

Strong customer authentication under PSD3 retains the same three-factor categories as PSD2 — knowledge (something the user knows), possession (something the user has), and inherence (something the user is) — but PSD3 introduces significant changes to how SCA is applied, when exemptions are available, and who bears liability for authentication failures.

The most important SCA changes for merchants are:

Transaction Risk Analysis (TRA) exemptions are expanded. Under PSD2, TRA-based SCA exemptions allowed merchants to skip SCA for low-risk transactions below €100, subject to fraud rate monitoring by the issuer. PSD3 raises the threshold to €150 for TRA-based exemptions and introduces a new "low-value transaction exemption" for payments under €50 that are processed by payment service providers with fraud rates below 0.1 percent. This expansion is significant for merchants in high-volume, low-value verticals such as digital content, subscription micro-transactions, and in-app purchases.

Merchant-initiated transactions (MITs) receive clearer treatment. PSD3 codifies the distinction between MITs — recurring transactions under a card-on-file agreement where the merchant initiates the payment — and customer-initiated transactions (CITs) where the cardholder actively participates. MITs under PSD3 require SCA only at the time the card-on-file agreement is established, with subsequent recurring transactions exempt from SCA provided the merchant maintains accurate credential-on-file records. This codifies what was previously EBA guidance and reduces the legal uncertainty that led some merchants to over-apply SCA for recurring billing, increasing checkout abandonment.

SCA liability shifts to the merchant's acquirer in specific scenarios. Under PSD3, if a transaction is authenticated using SCA and still results in a fraudulent chargeback, liability for the transaction shifts to the merchant's acquirer (or the payment service provider that authenticated the transaction) rather than the merchant — provided the merchant has complied with all SCA requirements. This represents a meaningful liability reduction for merchants who implement proper SCA flows, particularly for card-not-present transactions where fraudulent chargebacks are most common. For merchants managing cross-border payment compliance, this liability shift is a powerful incentive to ensure full PSD3 SCA compliance.

Outage provisions have been tightened. PSD3 requires payment service providers to maintain SCA fallback mechanisms that allow transactions to proceed when biometric or possession-factor authentication is unavailable. If a PSP's SCA system is unavailable and the PSP fails to provide an equivalent authentication method within 30 seconds, the merchant is not liable for any resulting transaction failures or fraud. This provision addresses a persistent complaint from merchants under PSD2, where SCA outages caused significant revenue loss without clear liability allocation.

Open Banking API Standardization Under PSD3

Open banking — the framework that allows third-party providers (TPPs) to access consumer payment accounts through APIs — was a centerpiece of PSD2 but suffered from inconsistent implementation across EU member states and the UK. PSD3 directly addresses these inconsistencies through the PSR's open banking provisions, which establish mandatory API standards, performance requirements, and dispute resolution mechanisms.

The open banking changes under PSD3/PSR include:

Mandatory API standards based on the Berlin Group's NextGenPSD2 standard, which has been updated for PSD3 compliance. All account-servicing payment service providers (ASPSPs) — typically banks — must expose payment initiation and account information APIs that conform to these standards. The European Banking Authority maintains the official API standard registry and conducts periodic compliance testing, with non-compliant ASPSPs facing fines of up to 1 percent of annual turnover.

Performance requirements for ASPSP APIs include: a maximum 2-second response time for payment initiation requests, 99.5 percent API uptime (measured monthly), and mandatory fallback interfaces for ASPSPs whose dedicated APIs experience downtime. These requirements address the single biggest barrier to open banking adoption under PSD2 — poor API performance and availability that prevented merchants and TPPs from relying on open banking for payment processing.

The introduction of variable recurring payments (VRPs) as a mandated open banking capability. VRPs allow consumers to authorize recurring payments from their bank account up to a predefined limit, similar to a direct debit but with consumer-controlled caps and real-time payment confirmation. For merchants, VRPs represent an alternative to card-based recurring billing with significantly lower transaction fees — typically €0.05 to €0.15 per transaction compared to 1-2 percent for card payments. Open banking account-to-account payments have gained significant traction in 2026, and PSD3's VRP mandate is expected to accelerate adoption further.

For merchants evaluating open banking integration, PSD3's standardization means that a single API integration provides access to all EU ASPSPs that support PSD3-compliant open banking — over 4,000 financial institutions across the EU and EEA. This is a dramatic improvement from the PSD2 era, where API fragmentation required merchants to support multiple API specifications depending on the customer's country and bank.

Merchant Liability Shifts Under PSD3

PSD3 introduces several important changes to liability allocation in payment transactions that directly affect merchants' chargeback risk and fraud exposure.

SCA-related liability reversal: As noted above, PSD3 shifts liability for authenticated transactions to the PSP that performed the authentication, provided the merchant has complied with all applicable SCA requirements. This means that if a merchant properly implements 3DS or equivalent SCA for a card-not-present transaction and the transaction is later disputed as fraudulent, the liability rests with the acquirer or PSP, not the merchant. This is a significant improvement over the PSD2 framework, where liability often defaulted to the merchant even after proper SCA implementation, because the regulatory text was ambiguous about liability allocation.

Unauthorized transaction liability: PSD3 reduces the merchant's liability for unauthorized transactions where the merchant can demonstrate that the transaction was authenticated through SCA and that the merchant's systems were not compromised. The merchant's liability cap is set at €50 per unauthorized transaction, down from the PSD2 default of €150. If the merchant can demonstrate that the unauthorized transaction would have been blocked by SCA but was processed due to an issuing bank or PSP authentication error, the merchant bears zero liability.

Cross-border liability clarity: PSD3 introduces clear liability rules for cross-border transactions where the merchant's acquirer and the cardholder's issuer are in different countries. In cases where a transaction is authenticated under the SCA rules of the acquirer's jurisdiction but disputed under the rules of the issuer's jurisdiction, PSD3 specifies that the acquirer's SCA framework governs liability — eliminating the cross-jurisdictional disputes that have complicated cross-border chargeback management under PSD2.

Chargeback timeline reforms: PSD3 reduces the maximum chargeback filing period from 120 days to 90 days for most transaction types and introduces a mandatory 20-business-day resolution requirement for acquirers and issuers. For merchants managing chargeback disputes, these shorter timelines reduce the period of revenue uncertainty and require faster response to representment requests, but also mean that chargeback reserves can be released sooner when disputes are resolved in the merchant's favor.

Cross-Border Payment Transparency

PSD3 significantly expands cross-border payment transparency requirements for merchants and payment service providers. The regulation introduces new disclosure rules designed to give consumers — and by extension, the merchants serving them — clearer visibility into the total cost of cross-border transactions.

Full fee disclosure: Payment service providers must disclose to both the payer and the payee the exact transaction amount, all fees charged (including currency conversion margins, cross-border processing fees, and intermediary bank charges), and the expected settlement timeline. These disclosures must be provided before the transaction is executed and confirmed after settlement. For merchants, this means that their acquiring bank or payment gateway must provide transparent fee breakdowns for each cross-border transaction, reducing the prevalence of opaque fee structures.

Currency conversion transparency: PSD3 requires payment service providers to present the exchange rate applied to a cross-border transaction, including the markup over the European Central Bank reference rate. This markup must not exceed 1.5 percent for euro transactions and 2 percent for non-euro transactions involving EU currencies. For merchants accepting payments from EU customers in their local currency while settling in their domestic currency, currency conversion fee caps directly reduce processing costs.

Settlement timeline guarantees: PSD3 mandates that inbound cross-border payments must be settled within two business days of the transaction date. For merchants using payment service providers that offer instant settlement, the regulation requires that instant settlement is offered as an option for all cross-border euro transactions, with a maximum settlement time of 10 seconds. Instant cross-border payment rails have expanded rapidly in 2026, and PSD3's settlement timeline requirements create a regulatory floor that ensures all merchants benefit from faster access to cross-border funds.

For US merchants serving European customers, PSD3's transparency requirements mean that their payment gateway and acquirer must provide detailed per-transaction fee breakdowns, exchange rates, and settlement timelines. Merchants who process cross-border transactions through payment intermediaries that do not provide these disclosures face compliance risk, as the merchant is ultimately responsible for ensuring that the payment service providers they use comply with PSD3 disclosure rules.

IBAN-Name Verification Requirements

One of the most operationally significant PSD3 requirements for merchants is the mandatory IBAN-name verification service. Under PSD3, all payment service providers must offer an IBAN-name verification service that allows payers to confirm that the payee's name matches the name associated with the IBAN before the payment is executed. This requirement applies to all credit transfers and direct debits within the SEPA zone, including transactions initiated through payment initiation service providers (PISPs) and open banking interfaces.

How IBAN-name verification affects merchants:

For merchants that receive payments via SEPA credit transfer — common for B2B transactions, invoice payments, and account-to-account settlement — the IBAN-name verification requirement means that customers who initiate payments to the merchant will be prompted with a verification that the name the customer entered matches the name registered with the merchant's IBAN. If there is a mismatch, the customer may be warned or the transaction may be blocked, depending on the PSP's implementation.

Merchants must ensure that the beneficiary name on file with their acquiring bank or settlement account matches the name presented to customers. Discrepancies between a merchant's trading name and its registered business name — common for high-risk merchants operating under DBA (Doing Business As) registrations — can trigger IBAN-name verification failures that delay or block incoming payments. Merchants should verify with their account provider that their trading name is registered as an alias on their IBAN account.

For merchants using IBAN for refunds or payouts to European customers, the same verification applies in reverse — the merchant must verify that the customer's name matches the IBAN before initiating a payout. This adds a verification step to payout workflows that previously had no such requirement, potentially delaying refund processing unless automated verification is integrated into the merchant's payout system.

The European Banking Authority estimates that IBAN-name verification will prevent approximately €2 billion in misdirected payments annually across the EU, reducing both fraud and operational error. For merchants managing payment system resilience, the verification requirement adds a layer of safety that reduces payout errors and associated dispute costs.

The Payment Services Regulation (PSR) Companion

Understanding the relationship between PSD3 and the Payment Services Regulation (PSR) is essential for merchants navigating the 2026 regulatory landscape. PSD3 and PSR were published together as a legislative package, with PSD3 functioning as a directive (amending and replacing PSD2) and PSR functioning as a directly applicable regulation that contains the operational requirements most relevant to merchants.

The PSR covers the following areas that directly affect merchants:

• SCA exemptions and authentication requirements: Articles 15-28 of the PSR contain the detailed SCA rules, including the expanded transaction risk analysis framework, MIT definitions, and liability allocation provisions described above.
• Open banking API standards: Articles 30-45 mandate the API standards, performance requirements, and VRP framework for account access by TPPs.
• Cross-border fee transparency: Articles 50-58 set the fee disclosure, exchange rate transparency, and settlement timeline requirements.
• IBAN-name verification service: Article 67 requires PSPs to offer the payee name verification service described above.
• Liability and chargeback rules: Articles 70-82 govern liability allocation for authorized and unauthorized transactions, chargeback timelines, and dispute resolution.
• Enforcement and penalties: Articles 90-102 define the enforcement framework, including fines, corrective measures, and cross-border cooperation between national competent authorities.

For merchants, the PSR's direct applicability means that the compliance requirements are identical across all EU member states. A merchant accepting payments from German, French, and Italian customers faces the same PSR requirements for each market — a significant simplification from the PSD2 era, where national implementation differences created compliance complexity. European payment regulations PSD2/PSD3 and their impact on US merchants has been a closely watched topic, and the PSR's uniform framework makes EU compliance more predictable for non-EU businesses.

Implementation timelines vary by requirement. Most PSR provisions applied from January 2, 2026, the date the regulation entered into force. However, certain provisions — including the open banking API performance requirements and the VRP mandate — have phased implementation timelines running through mid-2027. Merchants should work with their payment service providers to understand the specific compliance timeline for each PSR requirement that affects their payment operations.

Preparing Your Merchant Operation for PSD3 Compliance

For merchants evaluating their PSD3 compliance posture, several practical steps are recommended. First, verify with your payment gateway, acquirer, and PSP that their authentication flows are fully PSD3-compliant, including support for the expanded TRA exemption framework and the clearer MIT rules. Second, review your chargeback representment processes to ensure you are capturing the documentation needed to claim the SCA-related liability protections. Third, if you receive or make SEPA credit transfers, verify your IBAN name registration with your account provider and implement automated IBAN-name verification for customer payouts. Fourth, evaluate open banking VRP integration as a lower-cost alternative to card-based recurring billing. Fifth, ensure that your cross-border payment disclosures meet PSD3's transparency standards — your payment service provider should be providing these disclosures automatically, but verify that your settlement reports include the required fee, exchange rate, and timeline information.

PSD3 and the PSR represent the most significant European payment regulatory update in nearly a decade. While the compliance requirements are substantial, the regulatory framework also provides meaningful benefits for compliant merchants: reduced liability for authenticated transactions, expanded SCA exemptions that reduce checkout friction, standardized open banking APIs that enable lower-cost payment alternatives, and transparent cross-border fee structures that improve cost predictability. Merchants that invest in PSD3 compliance early will be well-positioned to serve the European market through the remainder of the decade.