Travel Merchants Face New Compliance Wave: PSD3, Visa and Mastercard Rule Changes Reshape Payment Landscape in 2026
The payments compliance landscape is shifting dramatically for travel merchants in 2026. Two major regulatory forces (the European Union’s PSD3/PSR1 framework and updated card network rules from Visa and Mastercard) are creating new obligations that travel businesses cannot afford to ignore. For an industry already classified as high-risk due to high chargeback rates and advance booking models, these changes represent both operational challenges and competitive opportunities.
PSD3 and PSR1: Europe’s New Payments Regime Takes Shape
A political agreement on PSD3 and the Payment Services Regulation (PSR1) was reached on November 27, 2025, signaling the end of substantive policy debate and the near-finalization of legislative text. According to Ping Identity, formal adoption and publication will follow in early to mid-2026, placing enforcement on a 2026 to 2028 timeline.
PSD3 is the most significant overhaul of Europe’s payments regime since PSD2. While PSD2 introduced Strong Customer Authentication (SCA) and open banking, PSD3 addresses gaps that became unavoidable by the end of the PSD2 cycle. Industrialized fraud had outpaced legacy controls, particularly SMS OTP, passwords, and knowledge-based recovery journeys.
Key PSD3 Requirements for Travel Merchants
- Stronger SCA mandates: Enhanced authentication requirements that go beyond PSD2’s baseline
- Real-time fraud monitoring: Continuous transaction surveillance with immediate response capabilities
- API hardening: More robust security standards for payment interfaces
- Recovery assurance: Improved processes for account recovery and credential resets
- Alignment with eIDAS 2.0: Integration with Europe’s digital identity framework
Travel merchants serving European customers must prepare for these requirements during the 2026 to 2027 window, when architectural decisions and capability consolidation will be critical.
Visa and Mastercard Tighten Rules for High-Risk Merchants
While European regulators advance PSD3, Visa and Mastercard are implementing their own 2025 rule changes that directly impact travel merchants. According to Payment Nerds, these updates are sweeping changes designed to raise accountability for all parties in the transaction lifecycle, especially in industries prone to complaints, chargebacks, and regulatory scrutiny.
Travel services have been specifically cited in compliance reviews due to inconsistent refund policies, unclear billing descriptions, and the industry’s structural characteristics: high transaction values, advance bookings, and cancellation risk.
What Visa and Mastercard Now Require
- Transparent pricing: Total costs including taxes and fees must display before payment commitment
- Subscription disclosures: Clear opt-in confirmations and cancellation instructions for recurring billing
- Real-time cancellation tools: Immediate access to subscription management
- Negative option billing limits: Strict disclosure criteria for trial-to-paid conversions
- Enhanced dispute processes: New chargeback reason codes and faster resolution timelines
Noncompliance carries severe consequences: excessive fines, frozen funds, or termination of merchant account processing relationships entirely.
U.S. Payment Compliance: The Broader Context
For U.S.-based travel merchants, compliance obligations extend beyond card network rules. According to Clearly Payments, 68% of U.S. Merchants have faced at least one payment-related compliance challenge in the past two years. The average cost of a data breach for U.S. Companies now stands at $4.45 million.
PCI DSS non-compliance fines range from $5,000 to $100,000 per month depending on the processor and card brand. Perhaps more alarming, 43% of small businesses that experience a data breach close within six months, according to the U.S. National Cyber Security Alliance.
High-risk merchant oversight has intensified. Processors now perform enhanced due diligence on travel merchants, verifying product claims, marketing practices, and refund policies to avoid reputational and legal risks.
Practical Steps for Travel Merchants
Travel merchants should take immediate action to align with these evolving requirements:
- Audit authentication flows: Review SCA implementation and prepare for PSD3’s stronger requirements
- add real-time fraud monitoring: Deploy systems capable of continuous transaction surveillance
- Standardize billing descriptors: Ensure customers recognize charges on their statements
- Create clear refund policies: Document and prominently display cancellation terms
- Build cancellation self-service: Enable customers to manage subscriptions without contacting support
- Review PCI DSS compliance: Validate current security controls against latest standards
Key Takeaways
- PSD3/PSR1 enforcement begins in 2026 to 2028, with 2026 to 2027 as the critical preparation window for travel merchants serving European customers
- Visa and Mastercard’s 2025 rule changes mandate transparent pricing, clear subscription disclosures, and real-time cancellation tools
- Travel merchants face enhanced scrutiny as a high-risk category, with processors conducting deeper due diligence
- Compliance investments made now will differentiate competitive positioning as regulatory enforcement ramps up
- Financial institutions that treat these regulations as innovation catalysts rather than box-ticking exercises will gain lasting advantage
The convergence of PSD3, card network rules, and heightened processor oversight creates a complex compliance environment. Travel merchants that move proactively to address these requirements will be best positioned to navigate the evolving landscape while competitors scramble to catch up.
