Learn about delegated strong customer authentication in PSD3 & PSR, how passkeys could fit, compliance shifts, and what’s still undecided.
Vincent
Created: May 6, 2025
Updated: May 8, 2025
Banking Passkeys Report: Want to learn how top banks implement passkeys? Get our 80-page report (incl. technical how-tos, case studies & ROI insights).
Get ReportThe European payments landscape has been significantly changed by the second Payment Services Directive (PSD2). Entering into force progressively from 2018, PSD2 mandated Strong Customer Authentication (SCA) for most electronic payments to enhance security and combat fraud. This typically requires verifying a user's identity using at least two of three independent factors: Knowledge (something only the user knows, like a password), Possession (something only the user possesses, like a phone or hardware token), and Inherence (something the user is, like a fingerprint or facial scan).
While PSD2's SCA requirements have demonstrably reduced certain types of fraud, they also introduced friction into the payment process, particularly for card payments involving 3-D Secure (3DS) protocols, which often redirect users to their bank's domain for authentication. This added checkout friction can lead to cart abandonment and a less seamless user.
Recognizing these challenges and the rapid evolution of the digital payments market, the European Commission published legislative proposals on June 28, 2023, to update the framework. This package consists of a new Payment Services Directive (PSD3) and a Payment Services Regulation (PSR).
Often described as an "evolution, not a revolution", this reform aims to refine existing concepts like Strong Customer Authentication (SCA) and Open Banking, further strengthen consumer protection against fraud, foster competition among payment service providers (PSPs), and improve the overall functioning of the EU payments market. One of the key areas of evolution is the explicit clarification and framework provided for Delegated Authentication.
The journey from proposal to application involves several stages. Following the June 2023 publication, the proposals entered the EU legislative process involving the European Parliament and the Council of the EU. The Parliament's Economic and Monetary Affairs (ECON) committee published draft reports with amendments in late 2023 and early 2024, followed by the Parliament adopting its position at first reading in April 2024. The next phase involves negotiations between the Parliament, Council, and Commission to agree on the final texts. Throughout this process, stakeholders including banks, PSPs, technology companies, and consumer groups engage in public consultations and lobbying efforts to influence the outcome.
While initial estimates suggested finalization by late 2024 or early 2025, the legislative process can be complex, and some analyses now suggest potential delays, possibly pushing final agreement later and the application date into Q1 2027. Generally, the new rules are expected to apply 18 months after their publication in the Official Journal of the EU, placing the likely start date in mid-2026 at the earliest, but potentially later depending on the finalization timeline.
A significant structural change is the introduction of the PSR alongside PSD3. The PSR will be directly applicable across all EU member states, ensuring uniform implementation of operational rules like SCA requirements and Open Banking access. This directly addresses a weakness of PSD2, where its nature as a directive led to variations in national transposition and implementation, creating fragmentation. PSD3, remaining a directive, will focus on the authorization, licensing, and supervision of payment institutions, allowing for some national context in market oversight. This dual structure represents a strategic approach: aiming for faster, consistent harmonization in critical operational areas via the regulation, while retaining the directive format for institutional oversight where national specificities are more relevant.
Given the complexities of the trialogue negotiations, the subsequent need for the European Banking Authority (EBA) to develop detailed Regulatory Technical Standards (RTS) and Guidelines, and the time required for the industry to prepare for implementation, the commonly cited 18-month transition period appears ambitious. Businesses should factor potential delays into their planning, looking towards late 2026 or even early 2027 as plausible application dates.
One of the most notable clarifications in the proposed PSD3/PSR framework is the explicit allowance for Delegated Authentication (DA).
Delegated Authentication (DA) refers to the process where a Payer's Payment Service Provider (PSP), typically the bank issuing the payment instrument (e.g., card issuer), allows a third party to perform the Strong Customer Authentication (SCA) on its behalf.
The original text from the proposed regulation (Article 87 of the PSR proposal, emphasis added) reads:
Outsourcing agreements for the application of strong customer authentication
"A payer's payment-service provider shall enter into an outsourcing agreement with its technical service provider in case that technical service provider is providing and verifying the elements of strong customer authentication. The payer's payment-service provider retains full liability for any failure to apply strong customer authentication and must have the right to audit and control the security provisions."
The draft texts state that issuers (typically banks providing the payment account) can delegate the responsibility for applying SCA to certain third parties. These third parties are envisaged to include merchants, payment gateways or acquirers, online marketplaces, or digital wallet providers.
This move is significant because it formally acknowledges and provides a potential regulatory pathway for scenarios where someone other than the account-holding institution performs the authentication check required under SCA. The stated goal behind enabling DA is to foster innovation in the authentication experience. By allowing delegation, the regulation hopes to empower those entities often closest to the customer interaction (like merchants or wallets) to build lower-friction, more integrated authentication flows that leverage the latest technologies, such as biometrics or passkeys, ultimately improving the user experience. Early examples, like Stripe's DA implementation launched prior to the PSD3 draft, aimed to capture these benefits, reporting faster authentication times and increased conversion rates for participating issuers.
However, the draft proposals introduce a critical condition: the delegation of SCA by an issuer to a third party is explicitly classified as outsourcing. This classification is not merely semantic; it carries significant regulatory weight. It means that any DA arrangement must comply with the stringent rules governing outsourcing by financial institutions, primarily the EBA Guidelines on Outsourcing Arrangements. Furthermore, digital wallet operators verifying SCA elements will need formal outsourcing agreements with the issuing banks.
This 'outsourcing' label presents a complex trade-off. On one hand, explicitly permitting DA signals regulatory openness to innovation and potentially better UX. On the other hand, subjecting these arrangements to the full weight of financial services outsourcing regulations introduces substantial compliance overhead. The process is transformed from a potentially simple technical hand-off into the delegation of a core, regulated security function. This triggers extensive requirements related to due diligence, contractual specifics, risk management, ongoing monitoring, audit rights, and potentially compliance with the Digital Operational Resilience Act (DORA). The significant burden associated with these outsourcing requirements could potentially halt the very innovation DA is intended to encourage, particularly for smaller merchants or TSPs lacking the resources to navigate this complex regulatory landscape.
The classification of Delegated Authentication as 'outsourcing' under the PSD3/PSR proposals means that such arrangements fall squarely within the scope of the EBA Guidelines on Outsourcing Arrangements. These guidelines establish a comprehensive framework that financial institutions (including issuers delegating SCA) and, by extension, the Technical Service Providers (TSPs) performing the delegated function, must adhere to.
These guidelines impose several key obligations:
Adding another layer of complexity is the Digital Operational Resilience Act (DORA), which establishes harmonized rules across the EU for managing Information and Communication Technology (ICT) risks in the financial sector. DORA applies from January 17, 2025.
DORA is relevant to DA in several ways:
The interplay between the EBA Outsourcing Guidelines and DORA creates a dense web of compliance obligations for any TSP venturing into DA. Successfully offering these services will require not just technical prowess but also significant investment in governance structures, risk management frameworks, robust documentation, audit readiness, and demonstrable operational resilience. This complex environment may inadvertently favor larger, established TSPs with the resources and expertise to navigate these demanding requirements.
A crucial consequence of DA under the proposed framework is the shift in liability for fraudulent transactions where SCA fails.
This direct liability placed upon TSPs for SCA failures under DA represents a significant financial risk. While the promise of improved user experience and conversion rates is attractive, the potential cost of fraud could act as a considerable deterrent for many TSPs contemplating offering DA services. Robust risk mitigation strategies, potentially including higher service fees or specialized insurance, may become necessary prerequisites for widespread DA adoption by merchants and gateways.
Delegated Authentication holds the potential to fundamentally reshape the user experience for card payments, particularly compared to the traditional 3-D Secure (3DS) process.
Currently, the 3DS process for SCA challenges typically involves a hand-off where the customer interacts with an issuer-controlled element. Traditionally, this meant a full browser redirect away from the merchant's website or app to the issuer's domain (e.g., their banking app or a specific authentication page). Increasingly, newer 3DS versions present this challenge inline via an embedded iframe on the merchant's page. While an iframe avoids a full page departure, both methods of redirecting the user's focus to an issuer-controlled step can be jarring, add time to the checkout process, and contribute to customer drop-off.
DA offers a pathway to eliminate this friction of change in process. By allowing the merchant, payment gateway, or digital wallet to perform the SCA directly within their own environment, the authentication step can be seamlessly integrated into the checkout flow. This promises a smoother, faster, and more cohesive experience for the customer. When combined with modern, low-friction authentication methods like device-integrated biometrics (Face ID, fingerprint scans) or passkeys, DA could significantly reduce checkout friction, potentially leading to lower cart abandonment rates and higher payment conversion rates. Real-world data, such as Stripe's reported 7% conversion uplift and four-times faster authentication for transactions using their DA solution with Wise cardholders, underscores this potential benefit.
Realizing this potential requires significant technical and commercial groundwork. It involves establishing new integration points and communication protocols between merchants/gateways/wallets and issuers. Payment schemes like Visa and Mastercard play an important role here. Mastercard, for example, has developed its Identity Check Express enabling merchants and Mastercard to authenticate the consumer on behalf of the issuer within the merchant's flow. Similarly, Stripe has built its DA capabilities based on bilateral agreements with specific issuers like Wise.
These developments suggest that DA is more than just a regulatory update. It acts as a help for re-architecting payment authentication flows. Moving the point of authentication from the issuer's domain back towards the merchant or wallet environment creates opportunities for richer, more context-aware authentication decisions and user experiences that are less disruptive than the traditional redirect model. This architectural shift necessitates integrating modern authentication methods like passkeys directly into checkout processes. However, this transition hinges on establishing robust security measures, clear liability allocation (as discussed previously), and trusted frameworks, likely governed by a combination of scheme rules, bilateral agreements , and adherence to the stringent outsourcing and DORA regulations.
While the PSD3/PSR draft proposals establish the legislative groundwork, the final shape of Delegated Authentication will be significantly influenced by ongoing dialogue and lobbying from key industry players. Banks, PSPs, technology providers, and merchants are actively interpreting these drafts and advocating for changes that align with their business models and strategic goals. Many EU lobbying efforts are accessible via the German Lobby Register (note: this register is primarily in German, and many of the submitted documents were also sent to other European Union bodies). The following analysis draws upon available summaries and documents from these public submissions.
As a major payment infrastructure provider, Stripe sees significant opportunity in DA. They view it as a crucial tool for improving payment conversion rates and enhancing the customer checkout experience by reducing friction. Stripe has proactively launched its own DA solution, based on bilateral agreements with issuers like Wise, demonstrating its commitment to this model even before PSD3/PSR is finalized. Their lobbying efforts appear focused on ensuring the regulatory environment supports innovation and minimizes burdens. Key areas include advocating for streamlined re-authorization processes for existing licensed entities under PSD3, seeking greater clarity and flexibility regarding SCA exemptions (like Transaction Risk Analysis (TRA) thresholds and Merchant-Initiated Transactions (MITs)), ensuring platforms using solutions like Stripe Connect aren't unnecessarily burdened with agent licensing requirements , and pushing for direct access to payment systems for non-bank PSPs.
PayPal, a major e-money institution and wallet provider, is a vocal proponent of an outcome-based approach to SCA. They argue that regulations should prioritize the demonstrable security effectiveness of an authentication method – particularly its resistance to modern threats like phishing – rather than strictly adhering to the traditional Knowledge/Possession/Inherence factor categories defined in PSD2. They highlight the success of their passkey implementation, which significantly reduced fraud while improving login success. Consequently, PayPal urges policymakers designing the PSR to focus on the overall strength of authentication solutions, allow combinations of strong factors even if from the same category (e.g., two possession factors), balance security with usability, and avoid overly prescriptive technological mandates.
Mastercard strongly contests the draft's broad classification of all DA as outsourcing. They argue, along with other industry groups, that only authentication models where the issuer lacks control over the SCA process should be subject to the full rigor of outsourcing requirements. Their lobbying position reflects this: they seek clarification that DA is not 'critical' outsourcing, advocate for scalable or multilateral outsourcing agreements to facilitate DA adoption, and want the proposed liability for schemes and TSPs related to SCA failures removed entirely. Additionally, Mastercard pushes for merchants to be mandated to send additional information, like behavioral and environmental data to issuers to improve risk assessment, and requests explicit allowance for TSPs to process biometric data without explicit user consent specifically for SCA purposes, and suggests fine-tuning SCA exemptions for specific low-risk use cases.
Trade associations and industry bodies largely echo the concerns raised by major players. Payments Europe, for instance, mirrors Mastercard's stance on the outsourcing definition, emphasizing that only scenarios where the issuer loses control should trigger outsourcing rules. Bitkom, representing the digital industry, also calls for clarity on this point and advocates for the explicit regulation of behavioral biometrics for SCA. These groups consistently stress the need for technological neutrality and flexibility within the SCA framework to foster innovation and avoid digital exclusion). CCIA Europe raises practical concerns about the implementability of issuers' broad rights to audit and control TSPs' security provisions under DA arrangements.
Table: Key Industry Positions on Delegated Authentication & SCA under PSD3/PSR
Feature | Stripe | PayPal | Mastercard |
---|---|---|---|
Delegated Auth (DA) | Actively offers DA solution ; views as key for conversion/UX. | Utilizes DA exemption where available. | Supports DA concept; offers DA solution (Identity Check Express). |
DA as Outsourcing | Position less explicit in snippets; likely accepts but seeks operational ease. | Position less explicit in snippets. | Strongly opposes broad classification; argues only applies if issuer lacks control. Wants clarification DA isn't always 'critical'. |
Liability | Focus on minimizing platform liability and seeks clarity on exemptions. | Focus on effective fraud reduction via strong auth. | Strongly opposes proposed liability for schemes/TSPs for SCA failure. |
SCA Approach | Seeks clarity on exemptions (TRA, MIT) & TRA thresholds. | Advocates Outcome-Based SCA: Focus on effectiveness (phishing resistance) over factors. | Wants merchants mandated to send behavioral/environmental data. Wants TSPs allowed to process biometrics for SCA without explicit consent. |
SCA Exemptions | Seeks clarification, especially for MITs and TRA thresholds. | Actively uses TRA, MIT, DA, Trusted Merchant exemptions. | Proposes fine-tuning exemptions for low-risk cases (EV charging, vending, etc.). |
The strong, coordinated pushback against the draft's current approach underscores a fundamental tension. The industry desires the user experience and innovation benefits potentially offered by DA but seeks to avoid the significant compliance burdens associated with regulated outsourcing under the EBA Guidelines. Their proposed alternative – defining outsourcing based on whether the issuer retains control – aims to carve out a space for DA that is less regulatorily intensive. The resolution of this debate during the legislative discussions will be crucial in determining the practical feasibility and attractiveness of DA for many TSPs.
Despite this regulatory uncertainty, leading players like Stripe and Mastercard are not waiting. They are actively developing and deploying DA solutions now, utilizing existing frameworks like bilateral agreements and scheme rules, often incorporating advanced technologies like biometrics and FIDO standards. This proactive strategy allows them to capture early market share, demonstrate the technical viability of DA, potentially shape emerging standards, and prepare their clients for the future landscape. This approach is not solely driven by enhancing consumer experience; it also serves to bind customers more closely to the payment provider rather than the issuer, all while navigating the inherent risks of an evolving regulatory environment and associated liability shifts. As the industry explores these new DA models, the role of advanced authentication technologies like passkeys becomes increasingly central to achieving both security and user experience goals.
Passkeys, based on the FIDO Alliance's WebAuthn standard, represent an important advancement in authentication technology, and this section will discuss how they might help to bridge the gap for Strong Customer Authentication (SCA) in a Delegated Authentication (DA) context.
The core strength of Passkeys is using public-key cryptography to create unique credentials for each website or app. This mechanism makes them inherently resistant to phishing attacks, as the credential only works on the legitimate site it was created for, and relies on secure device unlocking (often via biometrics) rather than shared secrets like passwords. This combination offers the potential for both enhanced security and a smoother user experience.
From a technical standpoint, passkeys appear ideally suited for Delegated Authentication scenarios. In a DA flow, a merchant or gateway performing SCA could prompt the user to authenticate using a passkey stored on their device (phone, computer). This authentication happens directly within the merchant's or TSP's environment, leveraging the device's built-in biometric capabilities (like Face ID or fingerprint scanning) for verification, thus eliminating the need for redirects or cumbersome one-time passcodes (OTPs). This aligns perfectly with the goal of DA to create more seamless and secure checkouts. But let's take a look at how an Issuer could control and verify a third-party authentication with passkeys.
However, integrating passkeys into the regulated world of SCA, especially under DA, faces challenges. PSD2's rigid three-factor (Knowledge, Possession, Inherence) categorization created ambiguity around how passkeys fit, particularly concerning the 'Possession' element and the independence of factors when biometrics unlock the device holding the passkey. The emergence of synced passkeys (which can be available across multiple devices) further complicates this classification.
While PSD3/PSR introduces some flexibility by clarifying that authentication factors need only be independent (compromise of one doesn't affect the other) rather than necessarily belonging to different categories, as explicitly stated in the proposed regulation:
"The two or more elements referred to in Article 3, point (35), on which strong customer authentication shall be based do not necessarily need to belong to different categories, as long as their independence is fully preserved."
This doesn't fully resolve the classification ambiguity or provide explicit endorsement for synced-passkeys as SCA-compliant. This regulatory uncertainty reinforces the arguments made by players like PayPal, who advocate for an outcome-based approach to SCA, focusing on the proven security results (like phishing resistance) delivered by methods like passkeys, rather than forcing them into potentially outdated categorical boxes. (For a deeper dive into outcome-based SCA and passkeys our outcome-based SCA analysis)
Given the widespread adoption of synced passkeys by users and merchants, and the limitations of SPC, the PSD3/PSR framework should aim to create a clear pathway for leveraging these existing passkey relationships within Delegated Authentication. This approach would focus on practical, outcome-based security rather than being constrained by specific technical implementations originally conceived before the maturation of synced passkeys. To achieve this, several key developments are necessary, focusing on regulatory adjustments, operational trust mechanisms, and evolving industry standards. A future-proofed DA model leveraging synced passkeys could involve several key developments that we will discuss now.
Effective mainstreaming of synced passkeys in DA begins with clear Regulatory Enablement and Mandates under PSD3/PSR. This involves the following key considerations:
threeDSRequestorAuthenticationInfo
field used in EMV 3DS for merchant FIDO data
1.Beyond regulatory clarity, Operationalizing Trust with Merchant-Held Passkeys is crucial for widespread adoption. This requires robust systems and processes for:
Finally, the long-term success of passkey-based DA will depend on Evolving Standards and a firm shift towards an Outcome-Based SCA Perspective. This entails:
This evolution would allow the payments ecosystem to capitalize on the significant existing investment in and adoption of synced passkeys by both users and merchants, creating a path for more secure, seamless, and widely accessible Delegated Authentication.
The sequence diagram above illustrates a potential future for Delegated Authentication (DA) leveraging passkeys within the payment ecosystem. It depicts a streamlined flow where merchants, using passkeys, could perform Strong Customer Authentication (SCA) on behalf of issuers. This vision aligns with the direction of PSD3/PSR and the increasing adoption of passkey technology.
Reality Check: However, this envisioned future is not yet the current standard. Several practical challenges must be addressed for widespread adoption. Regulatory frameworks, particularly under the upcoming PSD3/PSR, need to fully clarify how synced passkeys fit into Strong Customer Authentication and how liability will be managed in Delegated Authentication scenarios. Essential technical standards, including those for issuers to verify merchant-held passkeys and for ensuring consistent dynamic transaction linking across all platforms, are still maturing. Building broad issuer trust in merchant-led authentication processes is also a critical step. Moreover, ensuring a seamless user experience, managing potentially multiple passkeys per user, and achieving universal browser/platform support for all required payment-specific functionalities remain ongoing endeavors. Finally, addressing any lingering security perceptions around synced passkey ecosystems and the reliability of attestation will be important for building full confidence.
Despite these hurdles – many of which are specific to European SCA legislation which, it's important to remember, only applies to Europe – the underlying technology for such a system is largely in place. This is evidenced by the reality today: widespread passkey adoption by major players outside the EU, such as PayPal, and extensive use by numerous US banks (including those utilizing Banno by Jack Henry and many others). The depicted flow is therefore technically feasible and would capitalize on this strong, existing momentum of passkey adoption by users and merchants, rather than working against it. This approach could pave the way for more secure and seamless payment experiences globally.
The proposed PSD3 and PSR represent a significant evolution in the EU's payment regulatory framework, aiming to build upon PSD2's foundations while addressing its limitations and adapting to a rapidly digitizing market.
A key development is the explicit enablement of Delegated Authentication (DA), allowing third parties like merchants and wallets to perform Strong Customer Authentication (SCA) on behalf of issuing banks. However, this enablement comes with a crucial caveat within the EU: the classification of DA as 'outsourcing'. This triggers a complex web of compliance obligations under the EBA Guidelines on Outsourcing Arrangements and the Digital Operational Resilience Act (DORA). Furthermore, the proposals shift liability for failed SCA directly onto the entity performing the delegated authentication.
This creates a fundamental tension, particularly within the European context. On one side, there is the regulatory drive for enhanced security, control, and resilience, manifested through stringent outsourcing and operational resilience requirements. On the other side, there is the industry's strong desire for innovation, flexibility, and improved user experiences, which DA, particularly when combined with modern methods like passkeys, promises to deliver. The intense lobbying efforts surrounding the definition of 'outsourcing' for DA purposes highlight this conflict. It's noteworthy that while these specific regulatory hurdles are prominent in the EU, the underlying passkey technology is seeing robust global adoption and successful implementation in other markets with different regulatory landscapes.
The future adoption rate and impact of Delegated Authentication, especially within the EU, hinge critically on the final details of the legislative process – particularly concerning the scope of outsourcing rules, the allocation of liability, and crucially, the explicit recognition of synced passkeys as an SCA-compliant mechanism within DA. The industry's ability to establish practical, scalable trust frameworks between issuers and TSPs performing authentication will also be paramount.
Passkeys, particularly synced passkeys, are intrinsically aligned with the goals of DA, offering robust phishing resistance and the potential for seamless, biometric-based user experiences. They represent a compelling alternative to traditional passwords and OTPs. The challenge lies not in the technical feasibility of using passkeys for DA – as evidenced by their successful global adoption for various authentication purposes – but in navigating the EU-specific regulatory requirements and establishing clear, outcome-based criteria for their acceptance under SCA. An approach that prioritizes the demonstrable security outcomes of passkey authentications (e.g., cryptographic verifiability, phishing resistance, dynamic linking) over rigid adherence to traditional factor categorizations will be essential for unlocking their full potential in DA.
For businesses operating in the European payments ecosystem, the coming years require careful monitoring of the finalization of PSD3, PSR, and associated EBA technical standards. Organizations should proactively assess how Delegated Authentication, supercharged by the maturing passkey ecosystem, might reshape their payment and authentication strategies. This involves not only evaluating the potential of technologies like synced passkeys but also preparing for the operational and compliance shifts necessary to build verifiable trust with partners in DA arrangements.
For providers of authentication solutions, the opportunity lies in developing offerings that are secure, user-friendly, and architected to help customers (TSPs) meet the demanding compliance requirements of DA within the PSD3/PSR landscape. This includes facilitating the secure exchange of authentication data and supporting mechanisms that allow issuers to confidently verify DA transactions performed with merchant-held passkeys, ultimately fostering the secure and seamless payment experiences that PSD3/PSR aims to achieve by leveraging the global momentum of passkey technology.
Next Step: Ready to implement passkeys at your bank? Our 80-page Banking Passkeys Report is available. Book a 15-minute briefing and get the report for free.
Get the Report
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
Related Articles
Table of Contents