Securing the Future: The Impact of PSD3 on Payment Security and Fraud Prevention

In the digital age of modernizing payment services and opening financial services, data is a pivotal step in transitioning the payment industry from Open Banking to Open Finance.

Through Open Banking, third-party service providers have secured and permissioned access to users’ bank account information. Through Open Finance, customers can securely share non-banking data like mortgages, pensions, insurance, taxes, savings, etc. via APIs.

Evolution of Payment Services Directive (PSD)

PSD1: Adopted in 2007, laid the foundation for the EU single payment market.

PSD2: in 2018, Strong Customer Authentication (SCA) and Open Banking requirements were introduced to boost security and compliance.

PSD3: will further enhance consumer protection, security, innovation, and financial inclusion. It is a directive given to the EU Member States. The regulation providing the governing rules for payment services in the EU is the Payment Services Regulation.

Payment Service Providers (banks and non-banks) must comply with the new authorization system introduced by PSD3 within 2 to 3 years by 2026.

Benefits of PSD3

A few benefits of PSD3 include:

• Fraud Prevention by implementing IBAN/Name verification service for all credit transfers and providing a legal basis to share fraud-related information between PSPs, thus strengthening transaction monitoring.
• Extension of refund rights and transparency of credit transfers from EU to third countries, transparency of ATM charges, and currency conversion charges.
• Implement dedicated Application Programming Interfaces (APIs) for data access, ensuring contingency data access.
• Establishing consumer dashboards for managing data access rights and allowing non-bank payment service providers access to EU payment systems with proper security measures.
• Enhance the availability of cash through shops and Automated Teller Machines (ATMs). Retailers will be able to offer cash services without any purchase.
• Streamlining the payment rules applicable to PSPs (e-money and payment institutions).
• Authentication methods will not be solely smartphone-centric, so SCA will be applicable to vulnerable customers like older people, people with disabilities, and non-digital-savvy consumers.

The impact of PSD3 will be multifaceted, influencing various aspects of the payment landscape. It will introduce changes such as enhancing the IBAN/Name Verification Service, necessitating the reapplication of Payment Institutions (PIs) and Electronic Money Institutions (EMIs) for a Payment Service Provider (PSP) license, and facilitating consumer dashboards for managing data access rights. Additionally, PSD3 will implement new or revised Strong Customer Authentication (SCA) measures and establish a dedicated interface for exchanging data with Third Party Providers (TPPs). Furthermore, it will require the implementation of financial data sharing schemes aligned with the Financial Data Access (FIDA) framework and impact processes related to card payment flows, credit transfers, fraud departments, and legal teams handling contracts, liability, and terms and conditions.

Moreover, PSD3 is poised to bring about significant shifts in the industry dynamics. It is anticipated that increased collaboration between traditional banks and fintech companies will be fostered, facilitating the exchange of expertise and resources. Furthermore, the directive is expected to drive the development of innovative solutions that not only comply with regulatory requirements but also cater to customers’ evolving needs. By promoting a customer-centric approach, PSD3 has the potential to spur the creation of financial products and services tailored to meet consumers’ diverse preferences and expectations, thereby enriching their overall experience in the financial ecosystem.

Impact of PSD3 on the Members of the Payment Ecosystem

The implementation of PSD3 will significantly impact members involved in the payment ecosystem. Firstly, businesses must share more data with issuers to monitor various environmental and behavioral characteristics such as user location, transaction time, device information, spending patterns, transaction history, session data, and device IP addresses. This data sharing is essential for enhancing fraud detection and prevention measures. Additionally, payment schemes and Payment Service Providers (PSPs) will gain the authority to process personal data without explicit user consent under the General Data Protection Regulation (GDPR) regulations, streamlining certain processes while ensuring compliance.

Furthermore, under PSD3, schemes, technical service providers, and payment gateways will bear liability for fraudulent activities if they fail to implement Strong Customer Authentication (SCA) measures effectively. This places a greater emphasis on the importance of stringent security protocols within the payment infrastructure. Moreover, issuers will be held accountable for spoofing fraud instances, where fraudsters impersonate bank employees to facilitate unauthorized transactions, emphasizing the need for robust authentication mechanisms.

Lastly, PSD3 mandates that if the payer engages in fraudulent or negligent activities, they will bear liability for their actions, underscoring the importance of responsible financial behavior within the payment ecosystem.

Conclusion

PSD3 seeks to enhance security, transparency, and accountability across all facets of the payment industry, promoting trust and reliability among stakeholders.

Cigniti can help you by providing testing services for your implementation and enhancements related to payment. With its deep payment domain knowledge and testing expertise, Cigniti can provide consultancy and help you scale your business and meet market demands.

Need help? Contact our Payment Testing experts to learn more about the impact of PSD3 and implement or test any payment solution within your application.