PSD3 Is Set to Make the European Payments Industry Safer and More Competitive

In late November 2025, the EU Parliament and Council agreed on the PSD3 directive, intended to replace PSD2. Member States will have 18 months to transpose it into national law. PSD3 aims to close gaps left by PSD2, but its broader objective is clear: strengthen competitiveness of the EU payments sector while improving resilience against fraud and data breaches.

It affects a wide range of actors across the European payments ecosystem—banks, post offices, payment institutions, fintechs, e-commerce platforms and online service providers.

Decade of Digital Payments 

Since PSD2 entered into force in 2016, the European payment landscape has shifted significantly. The market has scaled fast: ECB data shows card payment transactions rising from 40 billion in 2018 to over 80 billion in 2024. At the same time, cash usage has declined, dropping from 79% share in 2016 to 52% in 2024.

Of course, we need to account for multiple factors influencing this trend, such as the rise of technology, the e-commerce explosion, and changing consumer behavior. But regulation has also played a structural role by providing frameworks that not only shape market rules but often support further innovation. The EU, by focusing on strengthening competition and implementing customer-centric regulations, hopes that the payment market will continue to innovate while building resilience and effectively countering threats that could slow down market trends.

Changes Brought by the New Directive 

Payment Services Directive 3 (PSD3) is an updated version of the Payment Services Directive 2 (PSD2) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). It aims to make payments safer, more competitive, and more accessible across Europe while ensuring fair conditions for both banks and non-bank providers.

Key changes include:

• Stronger protections against payment fraud
• Better access for non-bank payment providers to EU payment systems
• Improvements to open banking, including more reliable data sharing and greater user control
• Clearer rules and stronger enforcement by regulators
• Enhanced consumer rights and transparency
• Measures to support access to cash
• A single, streamlined framework for payment services and e-money

The Directive focuses on multiple areas of the payment industry. These are the most important pillars of PSD3: 

Still Fighting with Fraud

Fraud prevention is a central pillar of PSD3. Payment service providers are required to implement stronger controls such as enhanced authentication and verification of payee details before transactions are executed. If providers fail to apply appropriate fraud prevention measures, they may become liable for customer losses, especially in cases of unauthorized or impersonation-based fraud. 

Cash Is Not Dead 

PSD3 also supports continued access to cash by allowing retailers to offer cash withdrawals within set limits. This measure is intended to complement declining ATM networks and ensure that consumers, particularly in rural or underserved areas, retain practical access to cash services alongside digital payments.

Growing The Market by Increasing Competition 

PSD3 strengthens competition by improving access for non-bank payment service providers and reinforcing open banking rules. Account-servicing payment service providers must provide authorized third parties with access to payment accounts under clear, non-discriminatory conditions. At the same time, users gain more control over how and with whom their payment data is shared through dedicated permission dashboards. The intention is to reduce friction and structural barriers that previously limited new entrants in the payments market.

Payment HSM Solutions as a Foundation 

If you are a bank, payment institution, or emerging fintech looking beyond PSD2 and into the requirements introduced by PSD3, payment HSMs remain a foundational component and a starting point of your security architecture.

They sit at the point where sensitive payment operations are actually executed whether it is an online transaction or ATM cash withdrawal in a small town. Controlling keys, signing transactions, and protecting authentication flows in a way software alone cannot replicate.

This matters because PSD3 increases pressure on provable security: stronger fraud controls, stricter liability for payment providers, and more regulated data sharing. HSMs are what make that enforceable in practice. They ensure that critical credentials and cryptographic keys are never exposed, while enabling strong customer authentication and secure transaction validation under controlled conditions.

Utimaco’s Solutions 

Utimaco’s Payment HSM portfolio includes the Atalla AT1000 Payment HSM and the CryptoSec Payment HSM, both designed to secure critical payment operations such as key management, PIN processing, and transaction authentication across issuing and acquiring environments. The Atalla AT1000 is recognized as one of the fastest Payment HSMs, delivering up to 10,000 TPS, while the CryptoSec Payment HSM enables easier migration with a strong price-to-performance ratio for modern payment infrastructures. Both solutions are fully PCI compliant.

CTA: Check how this European fintech secures its rapid growth with Utimaco’s Payment HSM click here

Utimaco’s fully hosted Payment HSM as a Service offering is an attractive option for organisations that need the flexibility and scalability of the cloud. It also provides one of the fastest and simplest way to comply with the global payment regulations.

About the Author

Peter Czempas

Product Marketing Manager, Utimaco