From
Ideem— device-bound passkeys and A2A payment authentication for banks, fintechs, and payment platforms.
TL;DR
The Payment Services Directive 3 (PSD3) represents the European Union's continued evolution of Strong Customer Authentication requirements, building on PSD2's foundation with tighter fraud prevention standards and expanded scope. While PSD3 texts remain under trilogue negotiations as of early 2026, the European Commission's proposed framework indicates stricter authentication for high-risk transactions, reduced exemption thresholds, and explicit guidance on passkey-compatible authentication methods. Financial institutions operating in EU markets should prepare for implementation timelines likely starting in 2027-2028, with phasing similar to PSD2's rollout.
The European Commission published its PSD3 proposal package in June 2023, consisting of both a revised Payment Services Directive and a new Payment Services Regulation (PSR). These texts entered the EU's legislative process, involving European Parliament and Council of the European Union negotiations. As of April 2026, the trilogue discussions continue, with final adoption expected later this year.
Unlike PSD2, which took several years between adoption and enforcement (directive adopted in 2015, SCA requirements enforced from 2021), PSD3 is expected to have shorter implementation windows due to the PSR component. Regulations take effect directly across member states without requiring national transposition, potentially accelerating compliance timelines for core authentication requirements.
The European Banking Authority has indicated it will issue revised Regulatory Technical Standards for SCA under PSD3, similar to the RTS that defined PSD2's authentication requirements. These standards will provide the technical specifications that banks and payment service providers must follow, making them the critical documents for implementation planning.
PSD3 builds on PSD2's two-factor authentication foundation while addressing weaknesses identified through five years of enforcement experience:
Tighter Exemption Criteria: PSD2 allowed Transaction Risk Analysis exemptions for transactions below 500 euros if fraud rates remained low. PSD3 proposals include reducing these thresholds and requiring more granular fraud rate monitoring. Banks relying heavily on TRA exemptions may need to apply SCA more frequently, impacting checkout experiences.
Enhanced Dynamic Linking: PSD2 required dynamic linking between authentication and transaction details for payment initiation. PSD3 proposals strengthen this by requiring cryptographic binding that prevents attackers from modifying transaction details after authentication. This effectively mandates transaction-specific authentication rather than generic session approval.
Explicit Phishing Resistance: While PSD2 referenced "inherence" and "possession" factors without technology prescriptions, PSD3 drafts explicitly favor phishing-resistant authentication methods. This language aligns with FIDO2 protocols and passkeys, signaling regulatory preference for origin-bound credentials over SMS-based OTPs.
Account Information Service Authentication: PSD2 focused primarily on payment initiation security. PSD3 expands SCA requirements to account information services, requiring stronger authentication for third-party data access. This impacts open banking aggregators and personal finance management applications.
Cross-Border Consistency: PSD2 implementation varied across EU member states despite being a directive. PSD3's regulation component aims for more uniform enforcement, reducing arbitrage opportunities where payment providers sought lenient jurisdictions.
European payment fraud has evolved substantially since PSD2 took effect. While card-not-present fraud decreased initially following SCA implementation, criminals adapted with more sophisticated attacks:
Authorized Push Payment Fraud: Scammers increasingly trick victims into authorizing legitimate transactions to criminal-controlled accounts. SCA authenticates the payment correctly, but the user is deceived about the recipient. PSD3 includes provisions for payment service provider liability in APP fraud scenarios, incentivizing better fraud detection alongside authentication.
Social Engineering Bypass: Attackers use real-time phishing techniques where they relay authentication challenges to legitimate users while sitting in the middle. The user completes SCA successfully, but for a transaction initiated by the attacker. PSD3's enhanced dynamic linking aims to make this harder by requiring transaction detail verification.
Account Takeover Sophistication: Criminals combine credential phishing with SIM-swap attacks to defeat SMS-based SCA. This drove regulatory interest in device-bound authentication methods that resist remote interception.
The European Central Bank's payment fraud statistics show that while PSD2 reduced certain fraud vectors, the total fraud rate as a percentage of transaction volume has plateaued. PSD3 represents the EU's response to this plateau, recognizing that fraud prevention requires continuous evolution alongside criminal tactics.
Passkeys align naturally with PSD3's authentication philosophy. They satisfy multi-factor requirements through device possession and biometric inherence. They provide phishing resistance through origin binding. They enable transaction-specific authentication through cryptographic signing of payment details.
For payment service providers and banks, passkey implementation offers a path to exceed PSD3 baseline requirements while improving user experience. Unlike SMS OTPs that frustrate customers with delivery delays and code-typing friction, passkeys authenticate instantly through device biometrics.
European fintech companies have already begun large-scale passkey rollouts in anticipation of PSD3. These implementations demonstrate that consumers accept and prefer passkey authentication once they understand the security and convenience benefits. Adoption rates exceed 60% within 90 days for well-designed onboarding flows.
Banks and payment providers preparing for PSD3 should focus on several areas:
Authentication Infrastructure Audit: Current SCA implementations built for PSD2 may require upgrades to meet PSD3's enhanced requirements. Institutions should assess whether existing systems support cryptographic transaction binding, phishing-resistant authentication, and reduced exemption thresholds.
Third-Party Authentication: Payment initiation service providers and account information service providers will need to coordinate authentication approaches with account servicing payment service providers. PSD3's framework for third-party access includes authentication responsibilities that require clear protocols between parties.
Fraud Detection Integration: PSD3's emphasis on fraud prevention beyond authentication means institutions need robust transaction monitoring that integrates with authentication systems. Real-time risk scoring should inform authentication challenge requirements and exemption decisions.
Customer Communication: SCA changes require customer education. European consumers experienced significant friction during PSD2's initial rollout when unfamiliar authentication requirements interrupted online purchases. PSD3 implementations should include clear messaging about security benefits and step-by-step guidance for new authentication methods.
Mobile-First Design: European payment behavior increasingly centers on mobile devices. Authentication solutions must deliver seamless experiences on smartphones while maintaining security. Passkeys' reliance on device biometrics aligns perfectly with mobile-first payment trends.
PSD3 affects any payment service provider or merchant serving European customers, regardless of the provider's location. Non-EU payment companies accessing European bank accounts through open banking must comply with PSD3's authentication and security requirements.
For global e-commerce platforms, PSD3 means adapting checkout flows to accommodate stricter SCA requirements for European transactions. Merchants should implement payment authentication systems that support multiple SCA methods, including passkeys, biometrics, and hardware tokens, to maximize completion rates across diverse customer preferences.
The regulation's emphasis on fraud liability may also shift risk allocation in payment ecosystems. Payment service providers that fail to implement adequate authentication safeguards could face increased liability for fraudulent transactions, creating financial incentives for robust security beyond mere compliance.
PSD3 represents one node in a global trend toward phishing-resistant authentication for financial services. The United States' NIST guidelines recommend phishing-resistant multi-factor authentication for high-assurance scenarios. The Reserve Bank of India mandated additional authentication factors for digital payments. The Monetary Authority of Singapore issued guidelines emphasizing device-bound credentials.
This convergence creates opportunities for financial institutions to build authentication systems that satisfy multiple regulatory frameworks simultaneously. A passkey-based SCA implementation designed for PSD3 compliance will likely satisfy regulatory expectations in other major markets with minimal modification.
PSD3's final form remains subject to trilogue negotiations, meaning specific requirements may shift before formal adoption. Financial institutions should monitor European Banking Authority consultations and European Commission announcements for updated timelines and technical specifications.
However, the regulatory direction is clear: Europe expects stronger, phishing-resistant authentication for digital payments with reduced reliance on knowledge factors and SMS-based OTPs. Institutions that invest in modern authentication infrastructure now will find themselves ahead of compliance deadlines and better positioned to serve security-conscious European customers.
The businesses that view PSD3 as merely a compliance burden will struggle. Those that recognize it as an opportunity to differentiate on security and user experience while meeting regulatory requirements will capture market share in Europe's massive digital payments market.
Sources:
Most orgs running OTP-based MFA have 3–4 exploitable gaps they don’t know about. Our Authentication Assessment takes 2 minutes and shows you exactly where you stand — plus a phased migration roadmap.
Take the Assessment →Built by Ideem
Device-bound passkeys and A2A payment authentication. One SDK. No OTPs, no redirects.
Our 2-minute assessment scores your authentication setup and shows you exactly where the improvements are.
See Your Score →