Posted in Regulation & Policy

What Travel Merchants Need to Know About PSD3 and the New Payment Services Regulation

Posted on
by Editor

What Travel Merchants Need to Know About PSD3 and the New Payment Services Regulation

The European Union is preparing to overhaul its payment rules. In November 2025, Parliament and Council negotiators reached a provisional agreement on the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3). For travel merchants operating in or accepting payments from Europe, these changes will reshape fraud liability, authentication requirements, and operational compliance.

The Big Picture: From PSD2 to PSD3

PSD2 introduced Strong Customer Authentication (SCA) and open banking to European payments. PSD3 builds on that foundation with sharper teeth. The new framework splits responsibilities: PSD3 (a directive) handles licensing and supervision, while the PSR (a regulation) applies uniform operational rules across all EU member states.

This matters because regulations apply directly. No more 27 different national interpretations of the same rules. For travel companies working across borders, compliance becomes simpler in theory. In practice, the requirements are stricter.

Key Changes Affecting Travel Merchants

1. Fraud Liability Shifts to Payment Providers

Under the new rules, payment service providers (PSPs) face broader liability for fraud losses. If a provider fails to apply SCA when required, they bear the loss. Not the merchant. Not the customer. The PSP.

The European Parliament specifically pushed for this shift. As rapporteur René Repasi stated: “Consumers will benefit from new harmonized rules. Mandatory fraud preventive measures will be applied and lead to less payment fraud. Banks have to share more of the burden if they fail to do their part.”

For travel merchants, this reduces direct exposure to fraud chargebacks. But it also means PSPs will scrutinize transactions more closely, potentially increasing friction at checkout.

2. Confirmation of Payee Becomes Mandatory

PSD3 mandates IBAN-name matching for credit transfers. Before a payment executes, the payer’s PSP must verify that the account name matches the provided IBAN.

This targets authorized push payment (APP) fraud, where scammers trick victims into sending money to accounts they control. For travel companies, this adds a layer of verification for bank transfer payments. It may delay settlement slightly but reduces the risk of fraudulent inbound payments.

3. SCA Exemptions Clarified for Travel

Travel merchants have long struggled with SCA friction. The new rules provide clarity on exemptions that benefit the industry:

  • Merchant-initiated transactions (MITs): SCA applies only at mandate setup, not subsequent charges. This helps subscription travel services and installment payment plans.
  • Mail Order Telephone Order (MOTO): Explicitly exempt from SCA. Critical for travel agents taking bookings by phone.
  • Low-risk transactions: The European Banking Authority will issue updated standards for transaction risk analysis exemptions, potentially reducing authentication friction for trusted customers.

4. Platform and Marketplace Rules Tighten

Travel marketplaces and online travel agencies (OTAs) face narrower exemptions. The “commercial agent” exemption, which allowed some platforms to avoid payment licensing, now applies only in limited circumstances.

Platforms acting on behalf of both buyer and seller, or those possessing or controlling funds, will need proper payment licenses or must partner with licensed PSPs. This aligns with Stripe’s analysis: “Ecommerce platforms acting as agents on behalf of both individual buyers and sellers are not commercial agents and therefore cannot engage in payment services activities without a license.”

5. Open Banking API Performance Standards

For travel companies using account-to-account payments or open banking solutions, PSD3 mandates better bank API performance. Banks must meet response time benchis and remove obstacles to third-party provider access.

The cumbersome “fallback interface” (screen scraping) disappears. Instead, banks must provide reliable APIs or face penalties. This should make open bank payments more viable for travel bookings, though implementation timelines stretch into 2026-2027.

Timeline: When This Takes Effect

The provisional agreement was reached in November 2025. Formal adoption is expected in early-to-mid 2026. After that:

  • The PSR (regulation) enters into force 20 days after publication in the EU Official Journal
  • PSD3 (directive) requires transposition into national law, likely 18-24 months after adoption
  • Full compliance deadlines target 2026-2027

As Stripe notes: “While there are no clear timelines on the negotiations and implementation period at this stage, it is unlikely that the rules will come into effect before 2026.”

What Travel Merchants Should Do Now

  • Audit your payment stack: Understand which PSPs and gateways handle your European transactions. Confirm their PSD3 readiness plans.
  • Review MOTO and MIT flows: If you take phone bookings or recurring payments, document these flows. They qualify for SCA exemptions under the new rules, but you need proper implementation.
  • Assess marketplace exposure: If you operate a platform connecting travelers with service providers, evaluate whether you need a payment license or can rely on a licensed partner.
  • Monitor EBA guidance: The European Banking Authority will issue Regulatory Technical Standards on SCA, transaction monitoring, and fraud data sharing. These details matter for implementation.
  • Plan for bank transfer verification: If you accept SEPA transfers, prepare for the Confirmation of Payee rollout. This may require updates to your payment flows.

Key Takeaways

  • PSD3 and the PSR represent an evolution, not a revolution, building on PSD2’s foundation
  • Fraud liability shifts decisively toward payment service providers, protecting consumers and merchants
  • Travel-specific exemptions for MOTO and merchant-initiated transactions are clarified and preserved
  • Platform businesses face tighter licensing requirements and narrower exemptions
  • Open banking gains stronger API performance mandates, potentially improving account-to-account payments
  • Implementation timelines point to 2026-2027 for full compliance

The travel industry depends on smooth, secure payments across borders. PSD3 aims to deliver that security while clarifying the rules of the road. For merchants, the key is preparation. Understand the changes, audit your providers, and align your compliance roadmap with the 2026-2027 timeline.

Sources:

Editor

With decades of combined experience spanning all facets of the travel and merchant processing industries, our editorial team brings unparalleled insight to Travel Merchant News. Our expertise encompasses every angle of the travel sector, from seasoned travelers who have explored the world to travel operators who have built and managed successful tourism businesses. On the merchant processing side, we've worked extensively with payment solutions tailored specifically for the travel space, understanding the unique challenges and opportunities that travel businesses face in payment processing, transaction management, and financial operations. This comprehensive knowledge allows us to deliver content that truly speaks to the needs of travel professionals navigating the complex intersection of travel services and merchant solutions.

You May Also Like

More From Author

RateGain and Juspay Launch RG Pay for Embedded Travel Payments

Embedded Payments and Fraud Prevention Emerge as Travel Top Priorities for 2026

Leave a Reply

Your email address will not be published. Required fields are marked *