On paper, PSD3 and the new Payment Services Regulation (PSR) are aimed at payment service providers, not merchants. That distinction has led many businesses to assume these reforms are something their PSP will “handle in the background”. In practice, that assumption is already proving risky.
PSD3 and PSR significantly increase how accountable PSPs are for fraud outcomes, transparency, and the merchants they support. When regulatory pressure rises at the PSP level, it doesn’t stop there. It flows downstream into onboarding standards, ongoing reviews, transaction monitoring, refund handling, and, ultimately, decisions about who gets supported and on what terms.
By 2026, merchants will feel PSD3 and PSR not through direct obligations, but through tougher questions, more frequent reviews, and lower tolerance for ambiguity. Those who understand this shift early can prepare calmly. Those who don’t often experience it as sudden friction, restrictions, or lost payment access.
- What PSD3 & PSR Actually Change
- Why Merchants Are Indirectly in Scope
- Fraud Expectations That Flow Down to Merchants
- Refunds, Disputes, and Transparency Under PSR
- Refunds, Disputes, and Transparency Under PSR
- Access, Restrictions, and De-Risking in Practice
- Merchant Readiness Checklist for 2026
- Conclusion
- FAQs
What PSD3 & PSR Actually Change
PSD3 and PSR work together, but they do different jobs. PSD3 focuses on how PSPs are authorised, supervised, and held accountable by regulators. PSR sets the day-to-day operational rules that apply consistently across the EU. For merchants, the distinction matters less than the outcome: less flexibility and more scrutiny throughout the payments chain.
Under PSD2, enforcement varied widely by country. PSPs had room to interpret rules locally and manage merchant risk with a degree of discretion. PSD3 and PSR reduce that flexibility. Regulators expect more consistent standards across markets, and PSPs are required to show that their merchant portfolios, controls, and monitoring decisions are defensible.
In practical terms, this means PSPs must understand merchants more deeply than before. Business models, payment flows, customer journeys, and refund logic can no longer be treated as background information. They become part of how PSPs evidence compliance, fraud prevention, and consumer protection under the new framework.
Another important shift is timing. PSR pushes expectations around ongoing oversight, not just onboarding. Reviews are no longer reactive or event-driven. They become periodic, structured, and documented. For merchants, this feels like more questions and more follow-ups, even when nothing has “gone wrong”.
The key takeaway is simple. PSD3 and PSR don’t create a new rulebook for merchants to memorise. They change how PSPs are judged and that, in turn, changes how merchants are assessed, supported, and sometimes restricted. Understanding that a chain reaction is the first step toward being ready for 2026.
Why Merchants Are Indirectly in Scope
Merchants sit outside the formal scope of PSD3 and PSR, but they sit squarely inside the risk perimeter those rules create. The reason is simple: regulators don’t just supervise PSPs anymore; they supervise how PSPs manage the businesses that use their rails.
Under PSD3, PSPs must demonstrate that they understand and actively manage the risks flowing through their platforms. That includes fraud exposure, refund behaviour, customer harm, and transparency. Merchants become part of that evidence. If a PSP cannot clearly explain what a merchant does, how money moves, or where risks sit, the PSP carries the regulatory consequences.
This is where indirect scope becomes real. Merchants are no longer just customers of PSPs; they are inputs into PSP compliance frameworks. Business descriptions, checkout flows, refund policies, and even customer messaging are reviewed through a regulatory lens because they affect whether a PSP can meet its obligations under PSR.
The enforcement chain now works top-down. Regulators set expectations. PSPs translate those expectations into controls. Merchants feel that those controls have stricter onboarding, deeper questions, and ongoing reviews. Nothing in this chain requires merchants to breach a rule themselves for action to be taken.
By 2026, being “out of scope” will no longer be a meaningful defence when issues arise. Merchants that understand why they are indirectly in scope can prepare documentation, clarify flows, and respond confidently. Those who don’t often experience the same outcome very differently, as sudden friction they didn’t see coming.
Fraud Expectations That Flow Down to Merchants
Fraud is one of the main reasons PSD3 and PSR exist, and it’s also where merchants feel the impact most directly. As regulators raise expectations around fraud prevention and consumer outcomes, PSPs are expected to demonstrate not just controls, but effective results. That pressure inevitably flows downstream.
Under the new framework, PSPs must show that fraud risks are understood at a merchant level, not averaged across portfolios. This means merchant payment journeys are analysed for scam exposure, misuse, and ambiguity. Flows that make it easy for customers to be deceived, rushed, or confused attract closer scrutiny, even if fraud rates appear low.
A particular focus is authorised push payment (APP) fraud. Regulators increasingly expect PSPs to show how they prevent scams, not just reimburse them. For merchants, this translates into questions about customer messaging, confirmation steps, and how clearly the nature of a payment is explained at the point of action. Where intent or value exchange is unclear, PSPs assume higher risk.
Fraud expectations also extend beyond cards. Instant payments, A2A transfers, and alternative rails are all assessed through the same lens. Merchants that rely heavily on real-time payments may face stricter controls, limits, or monitoring requirements because losses are immediate and recovery options are limited.
By 2026, fraud prevention will no longer be something merchants can outsource mentally to their PSP. Even if controls are implemented upstream, merchants are expected to design journeys that reduce the likelihood of harm. Those that don’t are more likely to see higher declines, tighter limits, or escalated reviews, not because they’ve broken a rule, but because they’ve become harder for a PSP to defend.
Refunds, Disputes, and Transparency Under PSR
Refund handling has moved from a customer service issue to a compliance signal. Under PSR, regulators place greater emphasis on consistent consumer outcomes, and PSPs are expected to understand how merchants handle refunds, reversals, and disputes across different payment methods.
For merchants, the pressure point is often inconsistency. Card refunds, instant payment refunds, and alternative payment reversals behave differently, but customers don’t experience them differently. When timelines, eligibility, or communication vary without a clear explanation, complaint risk rises. PSPs are increasingly expected to spot and address those gaps before they become regulatory issues.
Transparency is closely linked to this. PSR strengthens expectations around how charges, refund rights, and timelines are presented to customers.
Vague terms, buried conditions, or unclear cancellation processes are no longer just poor UX; they are potential risk indicators. Merchants that rely on assumptions like “this is standard practice” often find those assumptions questioned.
Disputes also attract more attention, even when formal chargebacks aren’t involved. High complaint volumes, escalations to ombudsman schemes, or recurring refund-related issues signal consumer harm. PSPs track these patterns because regulators do.
In 2026, merchants that treat refunds and transparency as operational afterthoughts are more likely to face scrutiny. Those that document their processes clearly, align customer messaging with reality, and understand how different rails behave are easier for PSPs to support and less likely to be flagged under PSR-driven reviews.
Refunds, Disputes, and Transparency Under PSR
Refund handling has moved from a customer service issue to a compliance signal. Under PSR, regulators place greater emphasis on consistent consumer outcomes, and PSPs are expected to understand how merchants handle refunds, reversals, and disputes across different payment methods.
For merchants, the pressure point is often inconsistency. Card refunds, instant payment refunds, and alternative payment reversals behave differently, but customers don’t experience them differently. When timelines, eligibility, or communication vary without a clear explanation, complaint risk rises. PSPs are increasingly expected to spot and address those gaps before they become regulatory issues.
Transparency is closely linked to this. PSR strengthens expectations around how charges, refund rights, and timelines are presented to customers. Vague terms, buried conditions, or unclear cancellation processes are no longer just poor UX; they are potential risk indicators. Merchants that rely on assumptions like “this is standard practice” often find those assumptions questioned.
Disputes also attract more attention, even when formal chargebacks aren’t involved. High complaint volumes, escalations to ombudsman schemes, or recurring refund-related issues signal consumer harm. PSPs track these patterns because regulators do.
By 2026, merchants that treat refunds and transparency as operational afterthoughts are more likely to face scrutiny. Those that document their processes clearly, align customer messaging with reality, and understand how different rails behave are easier for PSPs to support and less likely to be flagged under PSR-driven reviews.
Access, Restrictions, and De-Risking in Practice
One of the stated goals of PSR is to reduce unjustified de-risking and improve fair access to payment services. In theory, this should benefit merchants by making PSP decisions more transparent and more defensible. In practice, the outcome depends heavily on how well a merchant can evidence its own risk posture.
- What PSR Is Trying to Prevent
PSR strengthens expectations around objective, risk-based decision-making. PSPs are expected to justify why access is restricted, why limits are applied, or why relationships are exited. Blanket decisions and unexplained account closures are harder to defend under the new framework.
For merchants, this creates an opportunity. Where documentation is strong and risks are clearly understood, PSPs are under pressure to explain and evidence any negative action they take.
- What Still Happens in Reality
At the same time, PSR does not eliminate risk-based restrictions. PSPs are still allowed and expected to limit or exit merchants where risk is poorly defined or difficult to manage. The difference is that decisions must now be backed by reasoning, data, and process.
This is where many merchants struggle. When business models are loosely described, payment flows evolve without being documented, or refund and fraud handling is unclear, PSPs default to restriction because it is easier to justify than continued exposure.
In 2026, “fair access” does not mean unconditional access. It means access is contingent on clarity. Merchants that can explain what they do, how money moves, and how risks are controlled are far less likely to experience sudden limits or exits even in a tighter regulatory environment.
Merchant Readiness Checklist for 2026
This checklist isn’t about legal compliance. It’s about being easy for a PSP to support under PSD3 and PSR pressure. Merchants that can evidence these points face fewer questions, fewer surprises, and fewer restrictions.
- Clear business and payment flow descriptions
Your public site, onboarding answers, and internal documentation should all describe the same reality. Inconsistencies are a common trigger for review. - Documented fraud and scam prevention logic
Be able to explain how your customer journey reduces misuse, confusion, or coercion, especially for instant payments and A2A flows. - Transparent refund and dispute handling
Refund timelines, eligibility, and method-specific behaviour should be clear to customers and defensible to PSPs. - Ownership of PSP communications and reviews
Reviews should not be treated as interruptions. Assign internal ownership so questions are answered consistently and promptly. - Regular internal reviews of risk signals
Monitor complaint trends, refund ratios, and fraud patterns before your PSP raises them. - Alignment between marketing language and operational reality
Avoid aspirational or vague claims that imply services, guarantees, or protections you don’t actually provide.
This level of readiness doesn’t make a merchant “low risk”. It makes them understandable and under PSD3 and PSR, that distinction matters.
Conclusion
PSD3 and PSR don’t introduce a new checklist for merchants to complete. They introduce a new reality in which how well a merchant can be understood and defended matters more than ever. The regulation targets PSPs directly, but the operational pressure lands squarely on the businesses that those PSPs support.
For merchants, the shift is subtle but significant. Questions become more detailed. Reviews become more frequent. Tolerance for ambiguity disappears. None of this means merchants are being regulated directly; it means PSPs are being held to a higher standard, and merchants are part of how that standard is judged.
The merchants that navigate this well in 2026 aren’t the ones trying to memorise regulatory language. They’re the ones that invest in clarity: clear payment flows, clear refund logic, clear fraud controls, and clear communication with both customers and PSPs. That clarity reduces friction long before it turns into restrictions.
Ultimately, PSD3 and PSR act as a stress test. They expose weak documentation, unclear journeys, and assumptions that used to go unchallenged. Merchants that treat this as a readiness exercise rather than a compliance burden will find that tighter regulation doesn’t necessarily mean less access; it means fewer surprises and more stable payment relationships.
FAQs
1. Do PSD3 and PSR apply directly to merchants?
No. They regulate PSPs, not merchants. However, merchants are affected indirectly because PSPs must demonstrate stronger oversight of the businesses they support.
2. Why are PSPs asking more detailed questions in 2026?
Because PSD3 and PSR increase PSP accountability for fraud, transparency, and consumer outcomes. Deeper merchant understanding is now required evidence.
3. Can PSD3 or PSR cause a merchant account to be restricted?
Not directly. Restrictions usually result from PSP risk decisions made to comply with PSD3/PSR expectations, especially where information is unclear or incomplete.
4. Are refunds now considered a compliance issue?
Yes, indirectly. Under PSR, refund handling and transparency are treated as indicators of consumer harm, which PSPs must monitor and justify.
5. What types of merchants are reviewed more frequently under PSD3?
High-risk, cross-border, and fast-scaling merchants are typically reviewed more often due to higher fraud exposure and operational complexity.
6. Does PSR prevent PSPs from de-risking merchants?
PSR discourages unjustified de-risking, but it does not eliminate risk-based restrictions. PSPs must now be able to explain and document their decisions.
7. How does APP fraud affect merchants under PSD3?
PSPs are expected to prevent scams, not just respond to them. Merchant payment journeys that increase scam risk may face tighter controls or scrutiny.
8. Will periodic reviews become standard for all merchants?
Yes. Ongoing reviews are becoming normal, even where no incidents have occurred, as PSPs must evidence continuous oversight.
9. What documentation should merchants have ready?
Clear business descriptions, payment flow diagrams, refund policies, fraud prevention measures, and consistent public-facing messaging.
10. Is this a one-time preparation exercise?
No. PSD3 and PSR reinforce ongoing readiness. Merchant risk posture is assessed continuously, not just at onboarding.