Select Page

Preparing for PSD3 and the IPR: Payment Testing Guidance

The European payments landscape is on the cusp of its most profound regulatory transformation in almost a decade. The Payment Services Directive (PSD), first introduced in 2007 and revised as PSD2 in 2016, has fundamentally changed how money moves across the continent. Now, the updated PSD3 is in the works, aiming to further modernize EU payments and foster fintech innovation.

At the same time, Europe is in the process of rolling out the Instant Payments Regulation (IPR). This is set to make instant credit transfers the new normal in the EU, providing greater convenience for businesses and consumers alike. 

These regulatory shifts come with new challenges for payment service providers, but they also bring potential. It’s important that the organizations affected have robust testing strategies in place in order to adhere to the new rules.

Webinar
Navigating the Regional Payment Frontier

Learn what it takes to accept, optimize and validate regional payments on a glboal enterprise scale.

Watch ‘Navigating the Regional Payment Frontier’ Now

First, let’s take a closer look at the regulations.

Key requirements of the European Instant Payments Regulation

Implementation of the EU’s Instant Payments Regulation is well underway. Its aims are clear: to roll out reliable, real-time payments throughout the European Union. While many European payment service providers (PSPs) already offer instant transfers, they are often only available at an additional fee. On weekends and holidays, they might not be available at all. The IPR is set to change that. Deadlines for key requirements kicked off earlier this year and will continue through 2027:

  • Instant receipt: From January 9, 2025, all PSPs in the eurozone must be capable of receiving instant payments in euros, ensuring fees are processed and available to the payee within 10 seconds — 24 hours a day, 7 days a week.
  • Cost of transfers: PSPs must not charge more for real-time transfers than they do for other transfers of the same type (e.g., standard credit transfers). This rule applies to eurozone member states from January 9, 2025.
  • Daily sanctions screening: This requirement was also introduced on January 9, 2025. It requires PSPs to conduct sanctions screening on their entire customer base at least once per day. This screening must also be performed immediately upon the entry into force of any new or amended sanctions lists.
  • Instant sending: By October 9, 2025, PSPs must also be capable of initiating and sending instant payments in euros.
  • Verification of payee (VoP): From October 9, 2025, this critical fraud prevention measure will require PSPs to offer a free service to the payer that verifies the payee’s name against their IBAN before a transfer is authorized. This applies to all credit transfers, not just instant ones.
  • Implementation in the rest of the EU: The deadline for compliance in EU countries outside of the eurozone is extended to 2027.

The IPR promises to enhance cash flow and liquidity for businesses, while improving the payment experience for customers. However, it is a considerable challenge for PSPs that have to upgrade legacy banking systems to meet the requirements. 

PSD3 and PSR: Progressing open banking and security

Expanding on PSD2, the proposed PSD3 and its accompanying Payment Services Regulation (PSR) aim to further modernize EU payments, strengthen consumer protection and foster innovation in digital financial services. While PSD3 is a directive that still needs to be transposed into national laws, PSR will be directly applicable across all EU member states. 

Key objectives and changes include:

  • Enhanced fraud prevention: Introduction of a clearer legal framework for PSPs to share fraud-related information, mandatory VoP and liability for PSPs in cases of payment spoofing.
  • Improved open banking: Standardized APIs, removal of obstacles to open banking services and dashboards to give consumers more granular control over their data-access permissions.
  • Reinforcing strong customer authentication (SCA): Refined SCA rules to strengthen security and improve accessibility
  • Broader scope: Other players in the payments sector which were not subject to PSD2, such as buy now, pay later (BNPL) schemes and certain cryptocurrency services, could also be included in the scope of the regulations.

PSD3 has not yet been finalized, so there may still be some adjustments. Given that EU member states were given two years to transpose PSD2 into national law, it is likely that PSD3 will come into force in late 2026 or early 2027. PSR will potentially apply earlier because it does not require transposition into national laws.

What impact will PSD3 and the IPR have on fintechs and other businesses?

The main objectives of PSD3 and the Instant Payments Regulation are to increase the competitiveness of the European finance sector, while increasing consumer protections. With 24/7 instant payments, businesses will benefit from faster access to funds and improved cash flow. PSD3 will also facilitate open banking, enabling fintechs to create even more innovative services, such as embedded finance solutions. In addition, strengthened SCA methods mean better fraud prevention.

However, stricter rules for SCA and new requirements for real-time payments present challenges for PSPs, necessitating improvements to payment infrastructure.

What do PSD3 and the IPR mean for payment testing?

Over the next two to three years, PSD3 and the IPR are set to reshape the payments sector. We’ve seen it before with PSD2 — and that brought with it new testing demands for PSPs and retailers. As always, early preparation pays off. Here are some of the payment testing challenges that the new regulations are likely to pose.

Increased complexity and interoperability

The shift to instant payments, combined with the deeper integration demanded by open banking, means your systems must interact seamlessly with a wider array of internal and external participants. This necessitates:

  • End-to-end flow validation: Testing the entire payment lifecycle, from initiation by the payer to crediting the payee’s account, including all intermediate steps and parties, e.g., payment gateways, clearing systems and third-party providers (TPPs).
  • API interoperability testing: Checking that your open banking APIs are reliable for real-time data exchange and compliant with PSD3’s proposed standards.
  • Cross-border cohesion: Verifying consistent behavior and compliance for instant payments across different EU member states.

Ebook
Digital Payment Testing: 4 Ways To Ensure Successful Transactions

Learn how to test with real payment instruments to help provide a seamless omnichannel experience to build customer trust.

Download the Digital Payment Testing Ebook Now

Enhanced security and fraud prevention

The inherent speed of instant payments leaves no room for error. Security and fraud prevention measures need to be able to keep up. Testing scope will need to include:

  • Strong customer authentication: Beyond basic functional tests, you’ll need to build sophisticated test cases for the various SCA methods (i.e., knowledge, possession and inherence), exemption handling and ensuring accessibility for diverse user groups. Test scenarios must validate the full authentication journey, including potential delegation to third parties. 
  • Verification of payee: With reinforced VoP rules, your testing must rigorously validate name-matching algorithms, “close match” scenarios and immediate notifications to the payer. What happens when a business uses a trading name that differs from its legal name? How do aliases or joint accounts impact the check? These are critical test scenarios.
  • Real-time fraud monitoring and detection: The 10-second window means your fraud detection systems must operate quickly and reliably. Testing should cover a wide range of simulated fraud patterns, including social engineering, spoofing and account takeovers.
  • Sanctions screening: Real-time sanctions screening systems must be tested to verify that daily updates are processed swiftly across your customer database, without introducing unacceptable latency into instant payment flows.

How can companies prepare for PSD3 and the IPR?

Preparing for PSD3 and the IPR requires a strategic, holistic and proactive approach to payment testing. Given the real-time nature of instant payments and the enhanced security and data-sharing mandates of PSD3, testing can no longer be an afterthought — it must be deeply embedded in the development lifecycle. Here are some actions that companies can take.

Prioritize security testing and fraud prevention

Beyond performance, elevating security and fraud testing is paramount. This involves developing sophisticated test cases for new fraud types addressed by PSD3, such as spoofing and authorized push payment (APP) fraud. It also means rigorously testing the effectiveness of AI/ML-driven fraud detection models in real time.

For strong customer authentication (SCA) and verification of payee (VoP), comprehensive test matrices are needed. These should cover all flows, including multi-factor authentication methods, exemptions, edge cases and accurate name-matching scenarios, ensuring immediate responses and user notifications.

Strengthen interoperability and API testing

Finally, comprehensive end-to-end and interoperability testing is essential. This extends beyond internal systems to cover interactions with other PSPs, clearing systems and TPPs. Companies must accurately simulate these external interactions, collaborating with partners and using external testing environments in multiple EU countries to validate cross-organizational payment flows.

This also means ensuring API compliance and performance for open banking features. As changes are implemented, robust regression testing is critical to ensure that new functionalities don’t inadvertently break existing compliant processes, given the ongoing evolution of payments. 

By focusing on these areas, companies can build a resilient testing framework that not only facilitates compliance with PSD3 and the IPR but also positions them to leverage the innovations these regulations enable.

With new technologies and regulations, testing demands are prone to frequent change. This makes regulatory compliance in the financial sector a real challenge. Applause can help with our community of skilled testers covering a wide range of devices and countries. Learn more about our payment testing solutions.

Want to see more like this?
PaymentsSecurityFinance
Zeb Winzenried
Zeb Winzenried
Senior Director, Testing Services for Applause

Published On: September 2, 2025
Reading Time: 8 min

Payments

Preparing for PSD3 and the IPR: Payment Testing Guidance

With new fintech regulations on the horizon, early preparation pays off.
Payments

Anatomy of an Accessibility Pilot

Learn what a short accessibility pilot engagement looked like for a small tech firm that needed help fast.
Payments

Should Software Testers Learn How To Code? Pros and Cons

Coding offers opportunity for career advancement, if you’re up to the task.
Payments

What is a11y? Advocacy for Accessibility

Discover what a11y stands for and why it’s a critical component of digital quality for brands.
Payments

Scaling Globally with Automation and Localization

Learn how to scale localization efforts by combining automation with real-world human expertise.
Payments

Digital Accessibility: Common Issues and Challenges

Explore some common issues and challenges organizations encounter on the path to digital accessibility.
No results found.