Close Menu
    Global Licensing & Legal Updates

    The PSD3/PSR Impact Blueprint: What High-Risk Merchants Must Change Before the Final 2026 Enforcement Cycle

    Updated:No Comments22 Mins Read
    Data-driven PSD3 and PSR compliance ecosystem showing authentication, fraud, transparency and regulatory monitoring requirements for 2026.

    The European payments landscape is entering its most significant regulatory shift since PSD2. With PSD3 and the new Payment Services Regulation (PSR), the EU is closing long-standing loopholes, raising transparency standards, strengthening fraud rules and reshaping authentication across the entire payments chain. For PSPs and acquirers, these reforms require major operational updates. But for high-risk merchants, where fraud incidence, dispute ratios, and customer journeys are more complex, the impact is even more pronounced.

    By the time the final enforcement cycle begins in 2026, merchants operating in verticals such as gaming, travel, digital goods, subscription services and high-risk financial products will face stricter authentication requirements, enhanced disclosure obligations and deeper scrutiny from acquiring partners. These changes affect not only compliance posture but also approval rates, customer experience and dispute outcomes. Merchants that rely on legacy onboarding logic, outdated SCA flows or incomplete customer-intent evidence will struggle to meet evolving acquirer expectations.

    This blueprint breaks down what PSD3 and PSR really mean for high-risk merchants, where enforcement pressure will be felt most, and which operational, technical and compliance changes must be completed ahead of the 2026 deadlines. Instead of treating PSD3/PSR as a regulatory checklist, this guide explains how to turn the new standards into a practical, readiness-focused strategy that supports sustainable growth across Europe.

    Table of Contents

    Understanding PSD3 and PSR: What’s Changing and Why It Matters

    The introduction of PSD3 and the new Payment Services Regulation (PSR) marks a shift in how the EU governs payments. Unlike PSD2 which focused heavily on enabling open banking and strengthening SCA, the PSD3/PSR package is designed to close structural gaps that fraudsters and inconsistent market practices have exposed over the past several years. For merchants, especially those operating in high-risk categories, these reforms reshape the expectations of acquirers, issuers, PSPs and regulators. They also redefine what “good compliance” looks like in practical, operational terms.

    The most notable structural change is the transition from PSD2’s directive model to PSR’s regulation model. A directive, like PSD2, must be transposed into national law, often resulting in variations between countries. A regulation, such as PSR, applies uniformly across all EU member states. This means compliance standards for authentication, disclosures, fraud reporting and monitoring will become significantly more consistent and far stricter across the region. For merchants selling into Europe, this uniformity brings clarity, but also a new level of enforcement rigor.

    The final enforcement cycle in 2026 will represent the point at which acquirers and PSPs are expected to demonstrate full compliance across their portfolios. That pressure inevitably flows downstream to merchants. High-risk businesses that fail to align with the new requirements will face onboarding delays, increased monitoring, stricter SCA demands and potentially reduced access to certain payment services. Understanding why these changes are happening is the first step in preparing for them.

    The evolution from PSD2 to PSD3: closing the loopholes

    PSD2 created major advancements in authentication and open banking, but it left gaps in consumer protection, fraud prevention and regulatory clarity. Fraudsters exploited these gaps particularly in areas like APP scams, synthetic identity fraud, social-engineering attacks and unclear merchant disclosures.

    PSD3 aims to resolve these weaknesses by tightening rules around SCA exemptions, improving customer visibility into fees and strengthening overall fraud detection.

    For merchants, this evolution means SCA becomes more context-driven, evidence-heavy and issuer-sensitive. Issuers will expect merchants to demonstrate a clear trail of identity and intent, especially for digital and high-risk transactions.

    PSR: The new regulatory backbone replacing PSD2’s operational gaps

    PSR is perhaps the most consequential part of the reform package. By applying uniform rules across the EU, PSR removes ambiguity around how SCA, routing transparency, FX disclosures and fraud reporting should work. It also expands the obligations of PSPs and acquirers to monitor merchants more closely, report fraud more frequently and enforce stricter compliance standards.

    This means merchants will face more structured reviews, clearer onboarding requirements and ongoing monitoring tied to fraud and dispute performance.

    Why 2026 enforcement is the pivotal date for merchants and PSPs

    Throughout 2024–2025, PSPs and acquirers are expected to upgrade systems, revise onboarding workflows, redesign authentication support and improve disclosure templates. Once regulators begin enforcement in 2026, acquirers will no longer have the flexibility to onboard or continue processing for merchants who cannot demonstrate compliance readiness.

    For high-risk merchants where dispute ratios, fraud rates and complex user journeys are already challenging 2026 represents a hard operational deadline. Investments in SCA logic, data quality, consent capture, subscription flows and complaint-handling processes must be completed before the final enforcement cycle begins.

    The High-Risk Merchant Exposure: Why PSD3/PSR Hit These Sectors Hardest

    While PSD3 and PSR apply broadly across the European payments ecosystem, their impact will not be felt evenly. High-risk merchants that operate in sectors such as gaming, travel, digital goods, marketplaces, subscriptions and financial services sit at the intersection of the highest fraud rates, the most complex transaction flows and the strictest regulatory oversight.

    As a result, the 2026 enforcement cycle will reshape how these merchants authenticate customers, present pricing, manage complaints and demonstrate compliance readiness.

    The reforms introduce greater accountability for both customer protection and fraud reduction. Issuers and acquirers will be obligated under PSR to apply enhanced monitoring to merchants with elevated chargeback patterns, inconsistent SCA logic or unclear disclosure practices. For many high-risk businesses, this means that compliance is no longer a once-a-year review; it becomes a continuous operational expectation. Merchants must adopt more structured data practices, clearer UX flows and more robust documentation to maintain acquirer confidence.

    Higher fraud, chargebacks and regulatory oversight

    High-risk verticals traditionally experience elevated fraud exposure due to fast-moving transactions, low-friction purchasing and customer behaviours that create dispute ambiguity. PSD3/PSR are designed to protect consumers in these environments, which means merchants must now meet stronger burdens of proof for identity, intent and consent.

    Issuers will increasingly rely on behavioural and device-based patterns to evaluate risky transactions. If merchants cannot provide these signals, issuers may require more frequent step-up authentication or reject transactions outright. PSPs, meanwhile, are required to escalate their monitoring of high-risk categories, placing more pressure on merchants to maintain stable dispute and fraud performance.

    Stricter onboarding, monitoring and documentation requirements

    Under PSR, acquiring banks must demonstrate that they conduct enhanced due diligence on merchants operating in high-risk industries. This includes verifying business practices, reviewing customer journeys, assessing renewal and cancellation flows and ensuring transparency around pricing and FX.

    Merchants should prepare for increased onboarding scrutiny and more frequent requests for updated policies, evidence trails and compliance documentation. Those unable to produce clear audit-ready material may experience onboarding delays or additional monitoring conditions.

    Cross-border, subscription, gaming and digital flows under deeper scrutiny

    Certain high-risk flows amplify compliance exposure under PSD3/PSR:

    1. Cross-Border Transactions

    Cross-border traffic is more closely examined due to data inconsistencies, complex routing patterns and increased fraud risk. Merchants must improve metadata quality and ensure transparent FX disclosures.

    1. Subscriptions & Recurring Billing

    Subscription models face enhanced disclosure and cancellation requirements to prevent confusion-driven disputes. Merchants must present clear trial terms, renewal schedules and pre-renewal reminders.

    1. Gaming & Digital Goods

    Fast-purchase cycles create velocity anomalies and intent ambiguity. Stronger device identity, behavioural monitoring and consent logs will be required to satisfy issuer and acquirer expectations.

    In all cases, PSD3/PSR signal a shift from reactive compliance to continuous operational integrity. High-risk merchants must modernise their data inputs, SCA flows and customer disclosures to prepare for the 2026 enforcement cycle.

    The New SCA Standards: What “SCA 2.5” Means in Practice

    Strong Customer Authentication (SCA) was one of the most disruptive elements of PSD2, but the industry soon discovered gaps particularly around behavioural consistency, device intelligence, exemptions and how issuers interpret risk. PSD3 does not replace SCA; instead, it strengthens and clarifies it. Many acquirers and PSPs refer to this evolution as “SCA 2.5”, a more adaptive and context-driven version of authentication that places greater responsibility on merchants to provide richer risk signals.

    Diagram showing enhanced SCA 2.5 identity and behavioural signals including device stability, login history, IP consistency and issuer evaluation flows

    For high-risk merchants, these changes are significant. Under PSD3, issuers become more selective about when they accept low-friction transactions and more demanding about the consistency of the identity and behavioural data that merchants provide. Poor-quality metadata, missing device signals or opaque risk profiles will lead to increased step-ups or declines. The goal of SCA 2.5 is not merely to authenticate the customer, but to assess whether the totality of transaction data reflects a known, legitimate interaction.

    Stronger identity signals and behavioural context requirements

    Under SCA 2.5, authentication is no longer just about two factors; it’s about context continuity. Issuers will rely on a wider range of identity markers to evaluate authenticity, including:

    • Device stability across sessions
    • Behavioural biometrics
    • Prior login history
    • Network and IP consistency
    • Merchant’s past interaction history with the customer

    For merchants in high-risk verticals especially those with instant-purchase or low-friction workflows this means authentication must be supported by deep behavioural data. Issuers expect to receive a coherent identity narrative, not just a cryptogram.

    Delegated authentication rules and merchant accountability

    PSD3 introduces clearer rules for delegated authentication, allowing merchants under specific conditions to authenticate customers on behalf of issuers. While this creates opportunities for smoother checkout experiences, it also introduces new responsibilities.

    Merchants who implement delegated authentication must maintain:

    • Clear audit trails of authentication attempts
    • Reliable device identity binding
    • Configurable fallback flows in case of issuer overrides

    High-risk merchants benefit from delegated authentication only when their identity-binding processes are strong enough to satisfy issuer expectations. Otherwise, issuers may reject delegated flows and impose stricter SCA requirements.

    Impact on high-risk checkout flows and approval rates

    The biggest practical impact of SCA 2.5 on high-risk merchants is its influence on approval rates. Issuers will apply more rigorous evaluation to transactions that resemble known fraud patterns, such as:

    • High-velocity top-ups
    • Cross-border cardholder activity
    • Device switching mid-session
    • Trial-to-subscription conversions
    • High-value or unusual basket patterns

    If merchants cannot provide sufficient identity and behavioural continuity, issuers will increase step-up challenges or decline transactions entirely. Conversely, merchants who enrich their SCA submissions with clean, consistent metadata can expect more stable approval patterns.

    SCA 2.5 ultimately rewards merchants who build authentication journeys that align with issuer expectations clear, identity-rich, and supported by data. For high-risk merchants preparing for the 2026 enforcement cycle, this will be one of the most impactful areas of optimisation.

    APP Scam Liability and Consumer Protection: New Obligations for Merchants

    One of the most visible policy shifts introduced by PSD3 and PSR is the strengthening of consumer protection especially around Authorised Push Payment (APP) scams, misleading disclosures and dispute escalation procedures. Although high-risk merchants do not directly initiate push payments on behalf of customers, the rules still affect them in several ways: through liability expectations, refund obligations, pre-transaction warnings and the scrutiny applied to their user journeys.

    The EU’s objective is simple: reduce consumer harm by ensuring customers understand what they are buying, who they are paying and what risks may be present. For high-risk merchants, where transactional urgency, digital delivery and recurring billing are common, these protections create new operational responsibilities that must be implemented before the 2026 enforcement cycle.

    Shared liability models and what merchants must prove

    PSD3 introduces a more structured liability framework for situations where customers are misled, confused or manipulated into making payments. While APP scam rules primarily tighten controls on banks and payment initiators, merchants are indirectly impacted because acquirers will demand stronger evidence that the merchant:

    • Clearly disclosed the nature of the purchase
    • Presented unambiguous pricing and renewal terms
    • Offered appropriate disclaimers or warnings where relevant
    • Maintained logs proving interaction authenticity

    Failure to meet these expectations may increase refund liability or weaken the merchant’s defence during dispute escalation.

    For high-risk sectors gaming, digital goods, subscription platforms and travel this means that proof of customer intent becomes as critical as proof of transaction delivery.

    Stronger refund, cancellation and disclosure requirements

    PSR extends consumer rights by standardising expectations around cancellations, refunds and transparency. High-risk merchants must ensure that:

    • Trial-to-paid transitions are clearly explained
    • Cancellation pathways are easy to find and complete
    • Renewal notices follow regulated timing
    • FX fees and cross-border charges are displayed upfront
    • Add-ons, upgrades or in-app purchases are fully itemised

    Many disputes arise not from fraud but from misunderstanding. Under PSD3/PSR, unclear disclosures will be treated as a merchant failure rather than a consumer mistake. This will raise pressure on PSPs and acquirers to intervene sooner, and high-risk merchants must adapt their UX accordingly.

    Complaint-handling and evidence trails are expected under PSR

    PSR requires more structured complaint-handling standards across the industry. Merchants will need to support faster response times, clearer customer communication and reliable documentation for acquirers and issuers.

    This includes:

    • Maintaining comprehensive logs of customer interactions
    • Saving screenshots of checkout disclosures
    • Tracking behavioural and device data supporting intent
    • Producing a clear history of refund attempts, cancellations or resolutions

    PSPs will also demand higher-quality evidence from merchants when disputes escalate, a trend already visible in Visa CE 4.0 and Mastercard’s updated dispute-handling protocols.

    For high-risk merchants, these obligations represent not only a compliance requirement but a strategic advantage. Merchants with strong evidence trails experience fewer escalations, higher win rates and more predictable dispute ratios.

    Fraud Data Sharing and Monitoring Expectations in 2026

    PSD3 and PSR significantly expand the data-sharing and monitoring obligations for PSPs, acquirers and merchants. Fraud trends across Europe have highlighted that fragmented data, inconsistent risk signals and incomplete transaction metadata make it harder for issuers to evaluate legitimacy. The new framework aims to close these gaps by requiring richer, more structured information flows throughout the payment chain.

    For high-risk merchants, this is one of the most important areas of the 2026 enforcement cycle. PSPs and acquirers will rely heavily on merchant-provided data to satisfy their regulatory reporting duties. In practice, this means merchants must upgrade how they collect, store and pass transaction, device and behavioural data to partners. Strong data may improve approval rates; weak or missing data will almost certainly trigger more friction, declines and audit requests.

    What PSPs must now report to regulators and issuers

    PSD3 and PSR introduce more granular reporting rules for PSPs, including:

    • Detailed fraud categorisation
    • BIN-level and issuer-level pattern visibility
    • Transaction-level identifiers and associated risk metadata
    • Authentication outcomes and step-up decisions
    • Customer communication attempts

    This creates a downstream expectation: merchants must supply accurate, high-quality data that enables PSPs to meet their reporting obligations. PSPs cannot fulfil their regulatory duties without structured merchant input, so acquirers will enforce stricter requirements on high-risk verticals.

    How this increases data-quality expectations for merchants

    Under PSD3/PSR, it will no longer be sufficient for merchants to send a basic set of transaction attributes. Regulators expect issuers and PSPs to evaluate broader behavioural context meaning merchants must provide:

    • Device fingerprints and stability signals
    • IP and network consistency
    • Account age and login history
    • Velocity data
    • Transaction sequencing and session continuity

    High-risk merchants with fast or low-friction purchase journeys must ensure their data capture is robust, accurate and consistent across channels.

    Continuous monitoring replacing periodic checks

    One of the largest operational changes introduced by PSR is the shift from periodic merchant reviews to continuous monitoring.

    Acquirers will use real-time scoring models to evaluate each merchant’s:

    • Fraud rates
    • Dispute levels
    • SCA success and failure patterns
    • Decline signals
    • Chargeback clusters
    • Customer complaints

    Merchants with poor or inconsistent performance may face enhanced due diligence, increased SCA enforcement or, in extreme cases, processing restrictions.

    For high-risk merchants, continuous monitoring means risk management must become part of everyday operations, not a compliance exercise performed during onboarding. Those able to maintain clean data, predictable behaviour and stable dispute patterns will see better approval rates and smoother acquirer relationships heading into 2026.

    Operational & Technical Changes Merchants Must Make Before 2026

    Meeting PSD3 and PSR requirements is not simply a matter of updating policy documents or adding new disclosures. For high-risk merchants, compliance readiness requires practical operational changes across authentication, routing, data capture, subscription management and customer communication. These adjustments must be implemented before the 2026 enforcement cycle begins, as acquirers and PSPs will expect merchants to demonstrate functional, testable compliance not theoretical alignment.

    Placed immediately after Section 7: “Operational & Technical Changes Merchants Must Make Before 2026,” before Section 8 begins

    The merchants who succeed under the new framework will be those who invest in foundational improvements to their checkout flows, data structures and consent mechanisms. PSD3/PSR introduce regulatory clarity, but that clarity also removes the flexibility merchants once had around ambiguous SCA routes, inconsistent disclosures or partial data collection. High-risk models must evolve into predictable, transparent and evidence-driven environments.

    Rebuilding SCA logic and fallback flows

    As SCA 2.5 becomes reality, merchants need to redesign their authentication logic to align with issuer expectations. This includes:

    • Ensuring all authentication requests contain rich device and behavioural metadata
    • Implementing configurable fallback routes when issuers reject exemptions
    • Avoiding repeated step-up failures by adapting SCA triggers based on BIN patterns
    • Supporting delegated authentication only when identity-binding is demonstrably strong

    For high-risk transactions such as high-value purchases, gaming top-ups or cross-border digital goods issuers will apply stricter evaluation. Merchants must ensure their SCA flows support continuity, stability and clarity.

    Redesigning subscription, renewal and cancellation UX

    PSR strengthens rules around subscription practices to reduce disputes and consumer confusion. High-risk merchants offering trials, recurring billing or auto-renewal models must ensure:

    • Clear, prominent renewal dates
    • Transparent pricing, including local and cross-border fees
    • Pre-renewal notices delivered within regulatory timing windows
    • Simple, visible cancellation pathways
    • Straightforward refund workflows

    Merchants who treat subscription clarity as a compliance checkbox will struggle; those who treat it as a user experience improvement will reduce dispute ratios and increase issuer trust.

    Under PSD3/PSR, proving customer intent becomes central to dispute resolution and compliance reviews. High-risk merchants should maintain:

    • Timestamped acceptance records
    • Screenshots or logs of checkout disclosures
    • Proof of acknowledgment for trial terms or high-risk purchases
    • Behavioural indicators (customer navigation, session stability)
    • Device-binding confirmation

    Consent must evolve from a passive checkbox to an active signal that can be validated during PSP audits or issuer challenges.

    Strengthening routing, data capture and transaction integrity

    Merchants must upgrade their transaction infrastructure to:

    • Improve metadata completeness
    • Introduce device fingerprinting and behavioural monitoring
    • Ensure clear FX and cross-border fee disclosures
    • Optimise routing based on issuer performance and SCA outcomes
    • Maintain consistent session and transaction identifiers

    Routing decisions, data consistency and transparency now directly influence both approval rates and compliance standing.

    Compliance Playbook: Preparing for Acquirer & PSP Enforcement Cycles

    As PSD3 and PSR approach full enforcement in 2026, acquirers and PSPs will begin assessing merchant readiness with far greater scrutiny. High-risk merchants, in particular, should expect structured reviews focused on fraud performance, SCA effectiveness, disclosure clarity and the quality of customer-intent evidence. Preparing early prevents onboarding delays, surprise remediation requests or tightened processing conditions.

    What acquirers will demand during 2026 reviews

    Acquirers must prove to regulators that their high-risk portfolios meet PSD3/PSR standards. As a result, merchants will be asked to provide:

    • Updated SCA workflows and fallback logic
    • Subscription and renewal disclosures
    • Complaint-handling procedures
    • Fraud-control documentation and monitoring reports

    If these materials are incomplete or outdated, acquirers may mandate corrective actions before allowing continued processing.

    How high-risk merchants should prepare internal compliance frameworks

    Merchants should align compliance, product, risk and payments teams to ensure consistent documentation, predictable processes and audit-ready records. A central compliance playbook covering SCA, routing, disclosures, refund rules and customer communication helps maintain alignment across departments.

    Aligning with PSR’s transparency and reporting requirements

    PSR requires clear fee disclosures, accurate FX visibility and consistent communication of charges. High-risk merchants must verify that their checkout flows accurately reflect local requirements and pass transparent data to acquirers.

    Market-by-Market Snapshot: EU Enforcement vs Global Impact

    PSD3 and PSR are EU-driven reforms, but their influence extends well beyond the Single Market. High-risk merchants operating globally, especially those selling into Europe through cross-border acquiring will feel these changes through tighter onboarding, stronger SCA enforcement and more demanding data-quality expectations. Below is a concise overview of how different regions will experience the 2026 enforcement cycle.

    1. European Union

    The EU is the core enforcement region. All PSPs, acquirers and merchants serving EU consumers must comply with the new SCA, disclosure and fraud-reporting requirements. High-risk merchants face strict monitoring and more structured onboarding reviews.

    1. United Kingdom

    The UK is not adopting PSD3/PSR directly but is moving in parallel with APP scam protections, stronger SCA interpretation and higher expectations for subscription clarity. EU-facing UK merchants must still comply when selling to EU cardholders.

    1. United States

    While PSD3/PSR does not apply locally, US acquirers processing EU traffic will enforce stricter SCA and transparency requirements to maintain compliance. Evidence and data-quality demands will rise for high-risk merchants.

    1. APAC & LATAM

    Merchants selling into the EU from these regions will encounter more granular onboarding checks, stronger SCA expectations and increased scrutiny of cross-border flows, especially across digital goods, travel and gaming.

    Case Scenarios: How Different High-Risk Merchants Should Adapt

    PSD3 and PSR introduce broad requirements, but their real impact varies across high-risk business models. These short scenarios illustrate how different types of merchants should prepare for the 2026 enforcement cycle.

    1. Gaming Operator

    Gaming platforms face strict scrutiny due to rapid-purchase flows, high dispute rates and identity-risk behaviours. They must strengthen device intelligence, behavioural monitoring and session continuity while ensuring friction aligns with issuer expectations under SCA 2.5.

    1. Subscription Platform

    Merchants offering trials, auto-renewals or tiered upgrades need clearer renewal notices, timestamped consent records and easy cancellation paths. Detailed communication logs will be required to defend disputes and satisfy acquirer reviews.

    1. Travel OTA

    Travel merchants must enhance itinerary disclosures, refund clarity and FX transparency. High-value bookings require stronger SCA logic, fallback flows and clear pre-purchase confirmations.

    1. Digital Goods Merchant

    Instant digital fulfilment demands strong device binding and velocity monitoring. Merchants must retain detailed logs of customer actions to support dispute resolution.

    1. Marketplace / Platform

    Platforms must increase seller oversight, improve payout transparency and validate identity more thoroughly. Evidence trails for both buyer and seller become critical.

    Conclusion

    PSD3 and PSR represent more than regulatory updates; they redefine how high-risk merchants must structure authentication, disclosures, dispute evidence and operational transparency. By 2026, acquirers will expect merchants to demonstrate stronger identity signals, cleaner data flows, clearer consent capture and consistent customer communication. Those who modernise early will benefit from higher approval rates, lower dispute exposure and smoother onboarding across EU corridors. Those who delay may face intensified monitoring, stricter SCA enforcement or processing restrictions. In an environment where compliance and performance increasingly intersect, preparing for PSD3/PSR becomes not just a legal requirement but a strategic advantage for long-term, sustainable growth.

    FAQs

    1. What is PSD3 and how is it different from PSD2?

    PSD3 updates the EU’s payment rules to address gaps left by PSD2 particularly around fraud, APP scams, transparency and SCA inconsistencies. It strengthens consumer protection while requiring merchants and PSPs to adopt richer identity and behavioural data.

    2. What is PSR and why is it important for merchants?

    PSR (Payment Services Regulation) replaces parts of PSD2 with a directly applicable regulation. This means stricter and more uniform rules across the EU especially for SCA, disclosures, fraud reporting and merchant monitoring.

    3. When will PSD3/PSR enforcement begin?

    The final enforcement cycle begins in 2026. PSPs and acquirers are updating systems in 2024–2025, and will expect merchants, especially high-risk ones, to be fully compliant before enforcement is active.

    4. Which high-risk sectors will feel the impact most?

    Gaming, travel, subscription services, digital goods, marketplaces and fintech products will face the strongest scrutiny due to higher fraud, dispute ratios and complex customer journeys.

    5. What does “SCA 2.5” mean under PSD3?

    It refers to enhanced SCA expectations: richer identity signals, behavioural continuity, stronger fallback flows and greater issuer discretion. Merchants must send more complete metadata and ensure stable device and session identity.

    6. How will subscription businesses be affected?

    Subscription merchants must provide clearer renewal dates, trial terms and cancellation paths. Regulators will expect timestamped consent and transparent disclosures to reduce dispute-driven confusion.

    7. What new liabilities arise from APP scam reforms?

    While merchants don’t initiate APP transactions, they must prove clear disclosures, explicit consent and customer understanding. Weak warnings or unclear terms can increase refund exposure or weaken dispute defences.

    8. What data must high-risk merchants capture under PSD3/PSR?

    Device fingerprints, IP consistency, login patterns, velocity insights, consent logs, session identity and full transactional metadata. These signals help PSPs comply with enhanced reporting rules.

    9. Will PSD3/PSR affect approval rates?

    Yes. Issuers will rely more heavily on metadata quality and behavioural continuity. Merchants with poor data, weak SCA logic or inconsistent disclosures may experience increased step-ups or issuer declines.

    10. How should merchants prepare for acquirer audits in 2026?

    They must maintain updated SCA flows, subscription disclosures, refund policies, dispute evidence and customer-consent records. Acquirers will require documented proof not assumptions of compliance.

    11. Does PSD3/PSR apply to non-EU merchants?

    Yes, indirectly. Any merchant selling to EU customers through an EU acquirer or PSP must meet PSD3/PSR standards. Non-compliance can lead to onboarding delays or processing restrictions.

    12. What is the most important step merchants should take before 2026?

    Strengthen identity and behavioural data, update disclosures, modernise SCA logic and ensure audit-ready documentation. These foundational steps improve approval rates and reduce compliance friction.

    Share.

    Related Posts