What EU Merchants Need to Know Now

The biggest overhaul of EU payment law since 2018 is moving from political agreement to final text. Here is what is changing, why it matters for merchants, and what to do while the transition period runs.

On 27 November 2025, EU legislators reached a provisional political agreement on two pieces of legislation that will reshape how payments work across the European Union: the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). Together they replace PSD2 — the framework that has governed EU payments since 2018 — and introduce significant changes to fraud liability, authentication rules, and how payment service providers operate.

The final texts are expected to be published in the Official Journal of the EU in the first half of 2026, with an implementation period of 18 months following entry into force. That puts full compliance somewhere in the H2 2027 to early 2028 window, depending on the exact publication date and the final agreed transition period. For merchants, that may sound distant. It isn't. The decisions that shape your payment infrastructure over the next two years are being made now — by your acquirers, your processors, and your technology providers.

This article explains what PSD3 and the PSR actually contain, what they mean for merchants in practice, and what the transition period means for businesses operating in high-risk industries.

What PSD3 and the PSR Are — and Why There Are Two of Them

PSD2 was a directive — a legal instrument that each EU member state had to transpose into its own national law. This created a problem: different countries interpreted and enforced PSD2 differently, allowing regulatory arbitrage and producing an uneven landscape across the single market. Some provisions were applied more strictly in certain jurisdictions than others. Fraud liability rules, authentication exemptions, and open banking API standards varied noticeably from country to country.

The new framework addresses this directly by splitting into two instruments. PSD3 remains a directive and covers the licensing and supervision of payment institutions — who is allowed to provide payment services and under what conditions. The PSR, however, is a regulation. Regulations are directly applicable across all EU member states without the need for national transposition. This means the core operational rules — on fraud liability, SCA, transparency, and merchant-initiated transactions — will apply uniformly across the EU from day one, closing off the national interpretation gaps that allowed inconsistency under PSD2.

For high-risk merchants operating across multiple EU markets, this harmonization is significant. The compliance landscape will become simpler in one important respect: there will be one set of rules to understand, not 27 national variations of them.

Side-by-side comparison of PSD3 as a directive and the PSR as a regulation covering EU payment services

The Fraud Liability Shift — The Change That Matters Most

The most consequential change in the new framework is where fraud liability lands. Under PSD2, liability for fraud was often contested, and the rules around authorized push payment (APP) fraud — where a customer is tricked into transferring money to a fraudster — were unclear and inconsistently enforced. The PSR changes this significantly.

If a payment service provider fails to implement adequate fraud prevention mechanisms, it will be liable for covering customers' losses. Specifically, the PSR introduces liability for impersonation fraud: where a fraudster poses as a PSP employee and tricks a customer into authorizing a payment, the PSP must reimburse the customer in full — provided the customer reports the incident to the police and notifies their PSP. The receiving PSP must also freeze any transaction it identifies as suspicious.

This is a direct financial consequence for inadequate fraud controls. It moves fraud prevention from being primarily a customer service function to a balance sheet risk for payment providers. The practical effect is that PSPs — including acquirers — will apply greater scrutiny to the merchants they board and the fraud controls those merchants have in place. For high-risk merchants, who already face heightened scrutiny from acquirers, this raises the bar further. A merchant with poor fraud metrics becomes more expensive to an acquirer not just in terms of chargeback fines, but in terms of direct liability exposure.

Five-step flow diagram showing how PSR fraud liability cascades from incident to merchant account scrutiny

Name-to-IBAN Verification Across the EU

The PSR mandates name-to-IBAN verification — known as Verification of Payee (VoP) — for all credit transfers across the EU. Before a transfer is processed, the PSP must check that the payee's name matches the account identifier provided. If there is a discrepancy, the PSP must refuse the payment and inform the payer.

This requirement already exists in some EU markets — the Netherlands introduced it several years ago, and it became mandatory for Dutch PSPs before wider EU adoption was agreed. The PSR now extends it EU-wide. Notably, the payee-name/IBAN verification obligation has a longer implementation window than most PSR provisions: 24 months after entry into force, rather than 18. This reflects the technical infrastructure changes required across the EU banking system.

For merchants, this matters at the point of customer refunds, bank transfers, and payouts. Any payment flow that involves sending funds to a customer's account will need to be validated against the VoP framework. Mismatches that previously might have been processed without flagging will now generate hard stops. Merchants should audit their payout and refund workflows well in advance.

Diagram showing how name-to-IBAN verification works under the PSR — match and mismatch outcomes

Strong Customer Authentication — What Changes

SCA remains a cornerstone of the new framework, but the PSR introduces important refinements. The core requirement — that authentication must use at least two of three elements (something you know, something you have, something you are) — is maintained. However, the PSR clarifies and updates several areas that were ambiguous or problematic under PSD2.

Merchant-Initiated Transactions (MITs) are explicitly addressed. SCA is required at the point of mandate set-up — when a customer first authorises a recurring payment — but not for each subsequent transaction initiated by the merchant under that mandate. This is relevant for subscription businesses and any merchant using recurring billing, and it aligns MITs more clearly with the existing treatment of direct debits. For high-risk merchants in iGaming, subscription services, or any model with recurring card charges, this clarity is operationally valuable.

The PSR also introduces biometric SCA combinations not previously permitted. Where PSD2 required the two authentication factors to come from different categories, the PSR allows both factors to come from the inherence (biometric) category — for example, combining a fingerprint with facial recognition. It also strengthens the requirement that PSPs offer at least one SCA method accessible to customers without smartphones, addressing concerns that mobile-centric authentication excluded certain user groups.

Exemption governance is also tightened. The European Banking Authority (EBA) will develop new regulatory technical standards for SCA exemptions and transaction risk analysis. Acquirers and PSPs that have relied on flexible interpretation of exemption thresholds will need to reassess those practices against the new standards as they are developed.

Five-card explainer of SCA changes under the PSR including MITs, biometrics, and exemption governance

What This Means for High-Risk Merchants During the Transition Period

The implementation window — broadly 2026 to 2027/2028 — is not a period in which nothing happens. It is the period in which the decisions that determine compliance readiness are made. PSPs are already beginning to assess their gap against the new framework. Acquirers are re calibrating their merchant risk policies in light of increased fraud liability. The EBA is developing the technical standards that will define the operational detail of the new rules.

For merchants, this means three things matter right now.

Your fraud infrastructure will be evaluated differently. Acquirers facing direct liability for PSP impersonation fraud have strong incentives to assess whether the merchants in their portfolio are generating fraud risk. High-risk merchants with poor dispute management, high TC40 rates, or weak fraud controls will attract more scrutiny during acquirer portfolio reviews under the new framework. Building a cleaner fraud profile — through pre-dispute tools, velocity controls, and active monitoring — is increasingly a prerequisite for stable acquiring relationships, not just good practice.

Your payout and refund flows need an audit. The name-to-IBAN verification obligation, arriving 24 months after PSR entry into force, will affect any merchant that sends funds to customer accounts. Subscription refunds, winnings payouts in iGaming, and broker withdrawals in financial services are all affected. The infrastructure for these flows needs to be assessed now, not when the obligation takes effect.

Recurring billing merchants should understand the MIT clarification. If your business model includes any form of subscription or recurring charge, the explicit treatment of MITs under the PSR removes ambiguity that previously required careful management on a market-by-market basis. Understanding exactly how the new rules apply to your specific billing model — and how your acquirer intends to implement them — is worth addressing proactively with your payment partners.

Timeline of PSD3 and PSR key dates from Commission proposal in 2023 to full EU compliance in 2027–2028

The Bigger Picture

PSD3 and the PSR are not arriving in isolation. They are part of a broader regulatory tightening across the EU payment landscape that also includes the Instant Payments Regulation, DORA (Digital Operational Resilience Act), and the EU AML package establishing AMLA. The direction across all of these is consistent: more accountability, more harmonisation, more direct liability for payment providers when controls fail.

For high-risk merchants, the cumulative effect is an environment where the quality and stability of your payment provider relationships matter more than ever. A specialist acquirer who understands your industry, has built their compliance infrastructure around the new framework, and can explain clearly how these changes apply to your specific business model is not a commodity. In a regulatory environment this complex, that kind of partnership is a material operational advantage.

The transition period is not a waiting room. It is the window in which the groundwork is laid. The merchants who use it well will find the new landscape easier to operate in. Those who don't will be scrambling to catch up when the rules take effect.

Fact-check table verifying 13 claims in the PSD3 and Payment Services Regulation article, with sources from Hogan Lovells, Norton Rose Fulbright, Linklaters, DLA Piper and others