The European payment landscape has undergone its most significant transformation since the original PSD2 directive. In 2026, the introduction of the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR1) has moved the goalposts for e-commerce security, consumer protection, and merchant liability.
Unlike previous directives, the PSR1 is a regulation, meaning it is directly applicable across all EU member states without the need for individual country transposition. This harmonizes the rules, but it also means that non-compliance penalties are now standardized and severe.
1. The "Verification of Payee" (VoP) Mandate
As of October 9, 2025, all Eurozone Payment Service Providers (PSPs) were required to implement "Verification of Payee" (VoP). For merchants, this is a double-edged sword. While it drastically reduces "misdirected payments," it adds a new layer of friction at checkout.
The "Exact Match" Requirement: When a customer initiates a SEPA Instant transfer to your business, their bank now checks your registered IBAN against your Legal Entity Name. If you are trading under a brand name that differs from your bank account name, the customer will receive a "No Match" warning, which can lead to cart abandonment rates as high as 30%.
2. The Liability Shift: Protecting Against "Spoofing"
One of the most controversial elements of PSD3 is the shift in fraud liability. Previously, if a customer was tricked into authorizing a payment (social engineering or "spoofing"), the merchant or the customer usually bore the loss. Under 2026 rules:
- Bank/PSP Liability: If a fraudster impersonates a bank employee to trick a user into authenticating a payment, the issuing bank is now liable for the loss.
- Technical Service Provider Liability: If a payment gateway fails to correctly apply Strong Customer Authentication (SCA), the gateway is liable for the resulting fraud.
- Merchant Protection: Merchants who fully implement 3D Secure (3DS) and SCA-compliant flows are shielded from these specific "spoofing" chargebacks.
3. Simplified Recurring Payments: The MIT Exemption
PSD3 brings good news for subscription-based businesses. The rules for Merchant-Initiated Transactions (MITs) have been streamlined. Under PSD3, Strong Customer Authentication is only required for the first transaction in a series. Subsequent payments no longer require repeated MFA, provided the initial mandate was robustly secured.
4. Comparison: PSD2 vs. PSD3/PSR1
| Feature | PSD2 (Old) | PSD3/PSR1 (2026) |
|---|---|---|
| Verification of Payee | Optional/Bank-specific | Mandatory (Free for users) |
| Spoofing Liability | Often falls on the consumer | Shifted to Banks/PSPs |
| PI & EMI Status | Two separate licenses | Unified "Payment Institution" Status |
| SCA Factors | Must be from 2 categories | 2 factors from same category allowed |
5. 2026 Compliance Checklist for Merchants
- [ ] Sync Branding: Ensure your "Trading As" name matches your bank account name to avoid VoP "No Match" errors.
- [ ] Data Sharing: Update your privacy policy to reflect that you share location and transaction metadata with banks to aid AI-driven fraud detection (per PSR1 allowances).
- [ ] API Audit: Ensure your payment gateway supports the latest 3DS protocols and PSR1-compliant data fields.
6. Conclusion
PSD3 is not just about security; itβs about creating a "frictionless" Eurozone. For the proactive merchant, these rules offer a way to lower fraud costs and improve subscription retention. For the unprepared, the "No Match" warnings and strict SCA requirements could be a significant barrier to growth.
