The financial sector is entering a period of profound transformation. Amid the rapid increase in both the frequency and financial impact of scams and payment fraud – alongside emerging risks from quantum computing and tighter regulatory requirements under PSD3 and eIDAS 2.0, financial institutions need a well-structured, proactive, flexible, and future-ready security strategy.
From PSD1, PSD2 to PSD3: A new standard for digital payments and fraud prevention
In 2007, the European Union’s first Payment Services Directive, PSD1, established a unified payments market, improved transparency, and enabled cross-border e-commerce. A decade later, PSD2 was introduced, driving competition through open banking, requiring Strong Customer Authentication (SCA), and creating a legal foundation for third-party access to payment accounts.
By November 2025, the European Parliament and the Council of the European Union reached a provisional political agreement on PSD3, addressing emerging challenges in digital payments, open banking, and fraud prevention.
One of the most notable aspects of PSD3 is the strengthened requirement for Strong Customer Authentication. SCA is no longer limited to payment authentication, but is also extended to a wider range of customer actions, such as changing transaction limits, updating contact information, restoring devices, setting up authorization, or changing authentication methods. Strong authentication is becoming an integral layer across the entire customer journey.
Under the latest directive, PSD3 also reinforces the responsibility of payment service providers in fraud prevention. When incidents occur involving authentication failures or suspicious transactions, legal liability must be clearly defined. This is a key driver for financial institutions to invest more heavily in multi-layered authentication, risk analytics, transaction monitoring, and digital identity protection.
In addition, PSD3 continues to promote API standardization in open banking, compliance with FAPI, and greater consistency, interoperability, and service quality among banks, fintech companies, and third-party providers.
If PSD3 raises the question of how to strengthen customer authentication, reduce fraud, and ensure accountability in digital payments, then eIDAS 2.0 provides part of the answer – by positioning digital identity and electronic identity wallets as a trusted, standardized, and cross-border foundation for user verification.
eIDAS 2.0: Digital identity as the foundation of digital trust
While PSD3 focuses heavily on payments and financial services, eIDAS 2.0 places electronic identity and trust services at its core. One of the most prominent elements of eIDAS 2.0 is the European Digital Identity Wallet, or EUDI Wallet.
The EU DI Wallet enables individuals and businesses to store, manage, and use their digital identity across a wide range of services. When integrated into the financial sector, digital identity wallets can become a powerful authentication method, helping customers access banking services, verify their identity, and conduct transactions more securely.
Beyond promoting the EUDI Wallet, eIDAS 2.0 also introduces stricter requirements for Trust Service Providers, or TSPs, in areas such as governance, risk management, and auditability. In particular, crypto-agility and readiness for Post Quantum Cryptography, or PQC, are identified as critical factors to ensure the long-term resilience of trust services.
The requirements under PSD3 and eIDAS 2.0 reflect a clear trend: financial security is becoming inseparable from digital identity. A secure transaction requires not only a protected payment system, but also a trusted and verifiable identity authentication foundation. For banks and fintech companies, this creates an urgent need to prepare modern authentication infrastructure that can integrate with digital identity wallets, support passwordless authentication, manage the identity lifecycle, and provide compliance evidence when required.
Zero Trust Security Architecture: Never trust by default, always verify
Zero Trust is one of the most widely discussed security architectures today, thanks to its strong security posture and core principles:
- Continuous monitoring and verification
- Least-privilege access
- Assume breach and segment the network accordingly
Instead of assuming that users, devices, or applications inside the system are secure, the Zero Trust model starts from the principle that no user, device, or application should be trusted by default. As a result, every access request must be continuously verified, rather than checked only once at login.
For the Finance and Banking sector – where sensitive data, high-value transactions, and multiple third-party connection points are involved – a well-implemented Zero Trust security architecture can help organizations reduce the risk of unauthorized access, minimize potential damage when incidents occur, and strengthen control over activities across the entire system.
Further reading on Zero Trust:
Savyint Group: A trusted partner in building digital trust
Bringing together leading experts in open banking, data encryption, and payment security, Savyint is ready to accompany enterprises and global partner ecosystems throughout the journey – from assessment and roadmap consulting to testing and implementation of Zero Trust-aligned security solutions. These solutions are designed to meet stringent international standards such as PSD3, eIDAS 2.0, PCI DSS,… and to prepare organizations for the Post Quantum era.
Savyint’s comprehensive security and fraud prevention solution suite, built on a Zero Trust architecture, addresses multiple critical challenges at once:
- User authentication: passwordless authentication such as FIDO2, passkeys, biometrics, MFA, and contextual authentication
- Device and application protection with Device Trust, RASP+, and device fingerprinting
- API security and customer consent management
- Fraud prevention and transaction risk control with Risk Engine, risk scoring, and automated compliance reporting
Notably, Savyint is also the first organization to announce a PQC Lab in Vietnam. The lab enables organizations to explore NIST-approved PQC algorithms, address real-world challenges in the Finance sector, and assess compatibility, performance, and impact – without disrupting existing infrastructure or operational systems. Through this testing environment, organizations can reduce migration risks, select suitable technologies, and systematically build internal capabilities.
In addition to its deep expertise, Savyint is also a global technology partner of major industry leaders such as Entrust, Keyfactor, Crypto4A, Kryptus, Futurex, Thales,…
Connect with Savyint’s experts today to stay ahead of the next wave of security innovation.
