OneSpan - Preparing for PSD3: Proposed changes to SCA and APP fraud prevention

Banks and financial institutions face an ever-evolving landscape of payment fraud, from phishing scams and wire transfer fraud to the growing threat of authorized push payment (APP) fraud. While PSD2 introduced a robust security framework, the European Union is now enhancing regulations to address emerging fraud tactics more effectively. The proposed Payment Services Regulation (PSR), often referred to as PSD3, aims to strengthen security and fraud prevention measures.

Softprom and OneSpan help businesses navigate regulatory changes and implement effective security measures. Below, we outline the most critical updates proposed in PSD3 regarding strong customer authentication (SCA) and APP fraud prevention.

Strengthening Strong Customer Authentication (SCA)

SCA, introduced under PSD2 in 2019, requires customers to verify their identity using at least two authentication factors. PSD3 proposes several refinements to enhance security and accessibility:

Updated SCA Definition: Authentication factors no longer need to belong to different categories, as long as they are independent of each other. For example, users may authenticate using two inherence elements, such as fingerprint and facial recognition. However, knowledge-based authentication alone is unlikely to be permitted.

Improved Accessibility: Payment Service Providers (PSPs) must support diverse authentication methods to accommodate all users, including individuals with disabilities, older customers, and those without access to digital channels. For example, PSPs must offer alternatives like hardware tokens for users who cannot receive one-time passcodes via mobile devices.

Expanded Authentication Methods: PSPs must provide a variety of authentication mechanisms, including hardware tokens and smart cards, at no additional cost to users. This change ensures that security measures are inclusive and accessible to all customers.

Combating APP Fraud

APP fraud occurs when cybercriminals deceive individuals into authorizing payments to fraudulent accounts. The rise of APP fraud—growing at an estimated 10% per year—has made it one of the most pressing challenges in digital finance. To combat this, PSD3 introduces several key countermeasures:

IBAN/Name Matching: Before completing a transaction, the PSP of the payer can verify whether the recipient’s name matches the associated IBAN. This mechanism, already used in countries like the UK and the Netherlands, helps prevent social engineering scams.

Liability Framework: PSD3 clarifies the conditions under which liability for fraud falls on PSPs, electronic communication providers, or digital service providers. This shared responsibility ensures all parties implement proactive fraud prevention measures.

Enhanced Transaction Monitoring: While PSD2 requires PSPs to monitor transactions for potential fraud, PSD3 expands their authority to block suspicious payments if they have strong evidence of fraudulent activity.

Fraud Data Sharing: In compliance with GDPR, PSPs will be permitted to share fraud-related data with other institutions, helping to identify patterns and prevent recurring fraud attempts.

User Education Initiatives: PSPs must actively educate customers and staff about fraud risks, providing clear guidance on recognizing, avoiding, and reporting scams.

Next Steps for PSD3 Implementation

The European Parliament approved the PSR proposal on April 23, 2024. The regulation is now under review by the European Council, followed by trilogue negotiations between the European Commission, Parliament, and Council. The final version of PSD3 is expected to be completed in the first half of 2025. PSD2 significantly reduced account takeover fraud by enforcing SCA across Europe. PSD3 aims to address the growing concerns of APP fraud, implementing stricter authentication requirements and liability frameworks. As regulations evolve, financial institutions must stay ahead by adopting these enhanced security measures.

How Softprom Can Help

At Softprom, we specialize in providing cybersecurity solutions and compliance support to help financial institutions navigate evolving regulations. Our team of experts can assist in implementing advanced fraud detection, secure authentication methods, and regulatory compliance strategies. Contact us today to learn how we can support your organization in preparing for PSD3.