Merchant Acquiring and Payment Processing Licenses in the EU 2026

If you process card payments, facilitate merchant settlements, or operate payment infrastructure in the European Union, your regulatory footing is about to shift. The political agreement on PSD3 and the Payment Services Regulation reached in November 2025 merges the payment institution and e-money institution categories, strengthens capital and safeguarding rules, and requires every existing licensee to re-apply within 30 months. The current PSD2 framework remains in force until the transition completes, likely in late 2027 or 2028.

Current licensing landscape under PSD2

The Payment Services Directive 2 (PSD2), in force since January 2018, defines the authorization requirements for payment institutions (PIs) operating in the EU. A PI license allows a firm to provide payment services including merchant acquiring, card issuing, payment initiation, account information services, and money remittance. An Electronic Money Institution (EMI) license, governed separately under the Electronic Money Directive 2 (EMD2), permits issuing electronic money in addition to payment services.

For merchant acquirers specifically, a PI license with authorization for "acquiring of payment transactions" (service 5 under Annex I of PSD2) is the relevant authorization. This covers accepting and processing payment transactions on behalf of a payee (the merchant), resulting in a transfer of funds to the payee. The license is granted by the national competent authority (NCA) of the EU member state where the firm is established, and passports across all 27 member states plus the EEA.

Capital thresholds under the current rules

PSD2 sets minimum initial capital based on the payment services provided. For acquirers (service 5), the minimum is EUR 125,000. For money remittance services, it is EUR 20,000. For payment initiation services only, EUR 50,000. Own funds must be maintained at the higher of: the initial capital amount, or a calculated amount based on payment volume using one of three prescribed methods. Most NCAs apply Method A or Method D, which calculate own funds as a percentage of monthly payment volume on a sliding scale.

These are regulatory minimums. In practice, NCAs in major licensing jurisdictions (Lithuania, Luxembourg, the Netherlands, Ireland) expect applicants to demonstrate capital well above the minimums, particularly for acquiring businesses where settlement risk and chargeback exposure create material financial obligations. A realistic capital commitment for a new acquiring PI ranges from EUR 350,000 to EUR 1 million depending on projected volumes and the NCA's risk assessment.

PSD3 and PSR: what changes for acquirers

On November 27, 2025, the European Parliament and Council reached provisional political agreement on PSD3 and the Payment Services Regulation (PSR). The texts are undergoing legal-linguistic review and are expected to be published in the Official Journal toward the end of Q2 2026. Once published, PSD3 must be transposed into national law within 18 months, with the PSR applying directly 18 months after entry into force.

The reform splits the regulatory framework into two instruments. PSD3 (a directive) covers authorization, licensing, and supervision of payment institutions. The PSR (a regulation, directly applicable without national transposition) covers conduct rules, strong customer authentication (SCA), fraud prevention, open banking, and consumer rights. This split matters because licensing conditions will still vary somewhat by member state (since PSD3 requires transposition), while operational rules will be uniform across the EU.

Merged PI and EMI categories

PSD3 repeals EMD2 and integrates e-money institutions as a subcategory of payment institutions. Firms currently holding separate EMI licenses will need to convert to the new unified PI framework. For acquirers that also issue prepaid cards or operate e-money wallets, the merger simplifies the licensing structure but triggers a re-authorization process.

Re-authorization is mandatory

Existing PSD2 authorizations remain valid for 24 months after PSD3 enters into force. This period can be extended to 30 months if the institution submits a new application within the first 24 months. In practice, every existing PI and EMI in the EU will need to submit a fresh application to their NCA demonstrating compliance with PSD3 requirements. This is not a rubber stamp: NCAs will reassess governance arrangements, capital adequacy, ICT resilience (aligned with the Digital Operational Resilience Act, DORA), safeguarding policies, and winding-up plans.

The winding-up plan requirement is new. Applicants must submit a detailed plan defining measures for continuity and recovery of critical activities in case of failure, proportionate to the institution's size and business model. For acquirers processing significant merchant volumes, this means documenting how merchant settlements would be handled during an orderly wind-down.

Adjusted capital requirements

PSD3 adjusts initial capital thresholds to reflect inflation since PSD2's enactment in 2015. The European Commission initially proposed raising the e-money threshold to EUR 400,000, though the Council suggested a lower figure of EUR 150,000. Final amounts will be confirmed in the published text. For acquiring services, the minimum is expected to remain in the EUR 125,000 to EUR 150,000 range, but the own-funds calculation methodology and safeguarding requirements are being tightened, meaning the effective capital burden rises even where headline minimums stay similar.

Fraud prevention obligations and IBAN verification

The PSR introduces mandatory verification of payee (VoP) for credit transfers, requiring payment service providers to confirm that a payee's name matches the IBAN before executing a transaction. For acquirers, the fraud prevention obligations extend to implementing transaction monitoring systems, sharing fraud data with other PSPs through designated mechanisms, and applying SCA with limited exceptions.

Authorized push payment (APP) fraud liability rules are also being clarified. Under the agreed text, PSPs face stronger obligations to detect and prevent social engineering fraud, with liability rules that could expose acquirers to claims where their systems fail to flag suspicious patterns. The exact liability allocation between sending and receiving PSPs remains one of the most contested elements of the package.

MiCA interaction for crypto-payment hybrids

Firms that combine payment acquiring with Electronic Money Token (EMT) services under the Markets in Crypto-Assets Regulation (MiCA) face a dual-licensing question. An EBA No-Action Letter issued in 2025 and a subsequent Opinion of February 12, 2026, narrowed the scope of activities requiring both MiCA and PSD3 authorization, but certain business models (issuing EMTs that also function as payment instruments) still require licenses under both regimes. PSD3 introduces a simplified authorization pathway for providers already licensed under MiCA, reducing application duplication.

Direct access to payment systems

A change with real competitive implications: PSD3 amends the Settlement Finality Directive to enable direct participation of payment institutions in designated payment systems. Under PSD2, PIs typically accessed settlement systems through sponsor banks, creating dependency and cost. Direct access allows licensed acquirers to settle directly, reducing reliance on banking intermediaries and potentially lowering costs for merchants. Implementation details will depend on individual payment system operators (such as TARGET for euro-denominated transactions), but the legislative pathway is now clear.

Timeline and practical preparation

The realistic timeline: publication in the Official Journal by late Q2 2026, transposition deadline approximately late 2027, full compliance (including re-authorization) by early to mid-2028. Firms should begin gap analyses now against the agreed text, focusing on three areas: DORA-aligned ICT resilience (already a requirement from January 2025), winding-up plan preparation, and updated safeguarding arrangements.

For new applicants considering an EU payment institution license today, the strategic question is whether to apply under PSD2 now and re-authorize under PSD3 later, or wait for PSD3 transposition and apply directly. Applying now gets you market access sooner, but the re-authorization process adds cost and uncertainty. Waiting avoids the re-authorization step but delays market entry by 18 to 24 months. Most advisers recommend applying under PSD2 if you have a near-term commercial need, since the re-authorization process is designed to be manageable for compliant firms. Current application procedures vary by member state; Lithuania's central bank and Luxembourg's CSSF publish detailed guidance on their websites.