PSD3 and instant payments - what changes for merchants and how to prepare

With regulations and compliance dominating the conversation across payments and fintech, all key players in the field must get ready for what’s coming. John Lunn, CEO of Gr4vy, breaks down what PSD3 and instant payments mean for merchants in practice, and how they need to prepare. 

Proposed by the European Commission in June 2023, PSD3 and the new Payment Services Regulation (PSR) establish a modernised legal framework covering card payments, credit transfers, digital wallets, and online merchants alike, with a provisional political agreement reached in late 2025 and final publication expected in summer 2026. Once adopted, PSD3, as a directive, will require transposition into national law within 18 months.

Europe’s regulatory landscape is going through one of its most significant shifts in years. How will PSD3 and the PSR actually change the day-to-day reality for merchants when it comes to authenticating customers and managing fraud?

When it comes to merchants, we must divide them into two distinct groups: marketplaces and non-marketplaces.  If you are a marketplace, PSD3 could be a significant change for you, as it means you will need to start planning now for the loss of the commercial agent exemption. In practice, you will need to start looking at PSPs with the appropriate licences to handle this change.  If you are a direct merchant, in my opinion, most of the changes will be in how you detect fraud and how you authenticate customers.

Instant payments promise a faster, always-on experience, but speed cuts both ways. What operational and risk challenges should merchants realistically expect when settlements become real-time and 24/7?

I think the impact on merchants will be low because, despite all these changes, open banking payments have seen low adoption in consumer payments. At present, there isn't much benefit for consumers in paying this way. Unless this changes, the question of whether to implement this as a payment option is not urgent.  What could be interesting is the no-question MIT refund, which means merchants will need to consider how to build in a buffer, especially when dealing with payouts. The other thing worth watching is the rise of ‘friendly fraud.’ By making it less of a consumer problem, we risk increasing it, as amateur fraudsters exploit loopholes.

For merchants operating across multiple PSPs, acquirers, and local payment methods, the EU is rarely one market in practice. What does PSD3 actually change – or complicate – for those juggling a cross-regional payments setup?

There are two parts of PSD3: the first is PSR, a regulation that will roll out as written and focuses on authentication. The second part is PSD3 itself, which is a directive; therefore, each EU Member State will decide how to implement it. This could get complicated if we get different interpretations. I also think another key aspect is being able to support multiple authentication methods for SCA.  What this actually turns out to be is yet to be determined, and you might end up needing to support very technical solutions like passkeys alongside traditional methods like SMS and even knowledge-based questions. What we can guarantee is that fraudsters will target the point of lowest resistance. 

How should merchants evaluate their current payment stack to ensure they’re compliant, resilient, and ready for PSD3’s new requirements?  

There are two things to consider here: first, make sure your PSPs will be ready for the changes and able to support you, particularly around the changes to authentication.   Secondly, make sure your anti-fraud provider has early-detection tools ready, so you are not left relying solely on step-up authentication and risk falling out of compliance. A good orchestration provider can help ensure you have multiple PSPs to reduce risk and fill some product gaps.

 

The first step is to audit your payment systems and anti-fraud providers. Ask what they are doing around PSD3 and how and when they will be ready to support you. If you don't get a satisfactory answer, now might be the time to shop around so that you don't fall behind. Again, adding an orchestrator at the same time will help de-risk the process and keep you ready for future changes.

 

Compliance tends to get all the attention, but PSD3 also opens doors. What opportunities are there for merchants who treat it as a starting point rather than a finish line?

Overall, we must remember that PSD2 dates back to 2015, and a lot has happened since then. It is good for the ecosystem when consumers are better protected, and fraud is reduced, as this encourages trust and, hopefully, drives increased sales. I also love that this legislation is making the ecosystem more open so that PSPs can compete with banks on more level terms, which will drive more merchant choice. This should, over time, mean costs go down as competition increases. 

Agentic commerce is changing how consumers discover and purchase products, with AI increasingly shaping (and initiating) transactions on their behalf. For merchants, what does that mean? How should they prepare their payment infrastructure for this shift, and is PSD3 part of the solution or an added obstacle?  

In the early days of e-commerce, we used the card-not-present rails rather than building a specific protocol. This caused many of the problems we are still dealing with today.

Agentic merchants should not just open their ecom layer to Agentic via HTTP. Rather, they should prepare for Agentic by opening a route for agents, which is why you see so many protocols being thrown around now. As the new protocols roll out, we will handle the back-end work, so merchants don't need to constantly update the system for Agentic. Now, on PSD3, most transactions are `Human present`, meaning a human must be involved in the agreement to make a purchase. This does mean PSD3 applies, and most of the new protocols support passkeys, which seems to be the best route presently. OOB (Out-of-band authentication) is also an option here. When humans are taken out of the loop, things will get interesting, and I would expect changes and protocols to be adapted. But you must understand that AI usage took two years to reach the same number of users that it took the internet 14 years to reach, and the pace of change is incredible, so we will have to see, as I honestly don’t think anyone knows yet.

About the author

 

John Lunn is the Founder and CEO of Gr4vy, a cloud-native payment orchestration platform designed to simplify and scale digital payments for merchants.

 

 

About Gr4vy

Gr4vy’s no-code payment orchestration platform offer enterprises full control to automate, customise, and optimise their payment strategy. With a single integration, businesses can gain access to over 400 payment methods, anti-fraud tools, and payment service providers, allowing them to optimise their payment stack in just a few clicks, all from a centralised platform. Built on dedicated cloud instances, Gr4vy infrastructure eliminates the risk of a single point of failure, ensuring redundancy and high performance.