Ovra is EU-native, API-first payment infrastructure for AI agents. We provide virtual Visa cards, programmable spending policies, and tokenized credentials so agents never see raw card data. GDPR-compliant with EU data residency.

How do I integrate Ovra with my AI agent?

The fastest way is to connect to our Model Context Protocol (MCP) server at https://api.getovra.com/api/mcp from Claude, GPT, Cursor, or any MCP-compatible agent. 10 tools are available out of the box. You can also use the REST API: a single call creates an agent with a virtual card and spending policy. No SDK install required.

Do AI agents see real card numbers when they pay?

Never. Ovra uses tokenized card credentials (DPAN, also known as Visa Network Tokens). When an agent needs to pay, we issue a scoped credential bound to the specific intent. Even if the agent's context is compromised, there is nothing useful to steal. Real PAN/CVV is encrypted server-side with AES-256-GCM and never reaches the agent.

Is Ovra GDPR-compliant?

Yes. Ovra is EU-native, built in Berlin, hosted in EU data centers, and engineered GDPR-compliant by design. Enterprise customers receive a Data Processing Agreement (DPA) and audit log access.

Is there a free tier?

Yes. The Free plan includes 1 agent, 1 virtual card, €150/month transaction volume, and full API and MCP access including sandbox mode. Paid plans start at €39/month for teams that need more agents and higher volume.

Which AI frameworks work with Ovra?

Any framework that speaks Model Context Protocol or HTTP. We test against OpenAI Agents SDK, Claude Desktop, Cursor, Vercel AI SDK, LangChain, LlamaIndex, and OpenClaw. The MCP endpoint is one URL: point your model at https://api.getovra.com/api/mcp with a Bearer token and 10 payment tools become available.

Where does Ovra operate and is the company a bank?

Ovra is a German company serving customers across the European Union (EUR-only, fiat). Ovra is not a bank. When our regulated card-issuer partnership ships, the licensed EMI (Electronic Money Institution) is the entity-of-record. Ovra is the developer-facing infrastructure layer.

When does PSD3 / PSR take effect?

Provisional political agreement was reached November 27, 2025. Official Journal publication is expected in H1 2026 (some observers say summer 2026 is realistic). After publication, the PSR enters force 20 days later with a 21-month transition before provisions apply — meaning earliest application is Q1 2028. PSD3 (a Directive) gives Member States 18 months to transpose into national law. The Verification of Payee obligation applies 24 months after entry into force.

What's the difference between PSD3 and PSR?

PSD3 is a Directive — Member States transpose it into national law. It governs licensing, prudential, and supervisory rules for payment institutions and e-money institutions, which are now merged into a single regime. PSR is a Regulation — directly applicable across the EU without transposition. PSR governs conduct rules: SCA, Verification of Payee, fraud liability, open banking access, and operational security. The split aims to reduce divergent national implementation that defined PSD2.

Does PSD3 require AI agent payments to be authorized differently?

PSD3/PSR doesn't yet name AI agents explicitly, but its consent and authentication framework forces the issue. Regulation E in the US has the same gap: it's currently unresolved whether granting an AI agent access to payment credentials satisfies the 'demonstrable consent' requirement. Per Fenwick (April 2026), 'this evolving legal and regulatory environment may affect how and when agentic payment services are released to the broader public.' Cryptographically signed mandates (AP2) and audit trails (Mastercard Verifiable Intent) are emerging as the technical answer.

What is Verification of Payee under PSR?

Verification of Payee (VoP) is a mandatory check that the recipient name matches the recipient IBAN before a payment is initiated. It's already required for eurozone instant payments under the SEPA Instant Payments Regulation; PSR codifies VoP into primary legislation and extends it across all payment types. The corresponding liability regime applies 24 months after PSR entry into force. PSPs that fail to perform VoP can be liable for misdirected payments.

What is the commercial agent exemption status under PSR?

Uncertain as of May 2026. The European Commission's draft significantly narrowed the exemption, which would force many marketplaces and platforms to obtain payment institution licenses or partner with one. The European Council's later draft reverted the exemption closer to PSD2's position. The final scope will be settled when the Official Journal text publishes — expected H1 2026. Per Adyen's analysis, EBA will issue further guidelines on the exemption's application across Member States.

What does PSD3 mean for non-EU agentic payments companies?

Any company providing payment services to EU users must comply with PSD3/PSR — regardless of where the company is incorporated. Existing payment institution licenses under PSD2 are grandfathered for a defined period (the Council text proposes 2.5 years), but firms must submit an application demonstrating PSD3 compliance, including alignment with the Digital Operational Resilience Act (DORA). For US-based AI platforms expanding agent payments into the EU, this is a substantive compliance program — not a checkbox.

PSD3, PSR, and Agentic Payments: What EU Operators Must Know in 2026

Bottom line: PSD3 and the Payment Services Regulation reached provisional political agreement on November 27, 2025. The PSR is directly applicable; PSD3 requires national transposition. Official Journal publication is expected in H1 2026, with a 21-month transition before provisions apply — meaning earliest enforcement around Q1 2028. The framework introduces mandatory Verification of Payee, strengthened SCA, platform liability for fraud, and tighter rules on the commercial agent exemption. For agentic payments operators in the EU, the design implications are immediate: build for verifiable consent and auditable mandate chains now, not in 2027.

Where the legislation stands today

After two and a half years of negotiation, the European Parliament and Council reached provisional agreement on November 27, 2025. The trilogue texts are now undergoing legal-linguistic review — translating into all 24 EU official languages and ensuring legal consistency.

Per ClearingPost's March 2026 update, Official Journal publication is anticipated in H1 2026, with some industry observers considering summer 2026 realistic. After publication, the PSR enters force 20 days later, with a 21-month transition period before provisions apply. PSD3 (a Directive) gives Member States 18 months to transpose into national law.

Milestone	Expected timing
Provisional political agreement	27 November 2025 ✓
Official Journal publication	H1 2026 (mid-2026 likely)
PSR enters into force	OJ + 20 days
PSD3 Member State transposition deadline	OJ + 18 months (~Q4 2027)
PSR provisions start applying	OJ + 21 months (~Q1 2028)
Verification of Payee liability regime applies	OJ + 24 months (~mid-2028)

What's actually changing?

PSD3/PSR is not a clean rewrite. It's a structural reset that moves most conduct rules from a Directive (PSD2) to a directly applicable Regulation (PSR), aiming to eliminate the divergent Member State implementations that fragmented the PSD2 era. Five changes matter most for agentic payments operators.

1. Mandatory Verification of Payee (VoP)

Per the Norton Rose Fulbright analysis, payee name-to-IBAN matching is codified into primary legislation, extending beyond the existing SEPA Instant Payments Regulation requirement. The corresponding liability regime applies 24 months after entry into force. Firms not yet implementing VoP need to start now — the SEPA Instant Payments Regulation already mandates it for eurozone instant payments, so the muscle exists.

For agentic payments, VoP is a hard gate before issuing or charging any agent-issued credential against a target merchant. Agents that route to unverified payees become a liability surface.

2. Strengthened Strong Customer Authentication

PSR clarifies SCA application across more transaction types, with specific rules for digital wallets and tokenized credentials. The framework strengthens biometric authentication requirements. For agent-initiated payments, this dovetails with Visa Payment Passkeys and AP2's hardware-backed mandate signing — both already designed to satisfy the "user-present, signed at the moment of authorization" pattern PSD3/PSR is hardening.

3. Platform liability for fraud

Per the European Parliament's legislative train, fraud liability provisions were strengthened beyond the Commission's initial draft, and platform liability was added during negotiations — extending fraud obligations beyond traditional PSPs to e-commerce platforms and marketplaces. This is a substantial shift for AI platforms running agent commerce surfaces. Per Fenwick's April 2026 analysis, "existing financial and consumer protection laws built around human-decisioned transactions may not appropriately address the challenges raised by agentic payments."

4. Commercial agent exemption — uncertain

The Commission's original PSR draft significantly narrowed the commercial agent exemption that many marketplaces and platforms rely on to operate without a payment institution license. The Council's later draft reverted closer to the PSD2 position. Per Adyen's PSD3 hub, "the continued availability of the commercial agent exemption to marketplace platforms under PSR is currently uncertain and will be known only when the final text of PSR is agreed by the EU institutions."

For agentic platforms acting as both buyer agent and merchant aggregator, this is a major variable — and a reason to plan for a partnered-PSP model rather than rely on an exemption that may not survive.

5. EMI / PI merger and DORA alignment

PSD3 merges electronic money institutions into a single regime alongside payment institutions, with stronger requirements for entities that issue e-money. Existing PI/EMI licenses are grandfathered for a defined period (the Council text proposes 2.5 years), but firms must submit a re-authorization application demonstrating PSD3 compliance — including alignment with the Digital Operational Resilience Act (DORA). New applicants must submit a winding-up plan as part of the licensing application.

What does this mean for AI agent payments specifically?

PSD3/PSR doesn't name AI agents in its current text. The legal questions about agent authorization remain unsettled — but the regulatory direction is unmistakable.

Per Fenwick's April 2026 review, the foundational distinction in payments law is whether a transfer was "authorized" or "unauthorized," which often turns on "demonstrable consent." It's currently unresolved whether granting an AI agent access to payment credentials satisfies that requirement. AP2's Cart Mandate and Intent Mandate are explicit attempts to engineer the answer — cryptographically signed, hardware-backed, non-repudiable consent that maps cleanly to PSD3/PSR's authentication framework.

Three design principles fall out of this for any team building agentic payments in the EU:

Cryptographic mandate, not credential delegation. Don't share a card with the agent. Issue scoped, single-use credentials bound to a verifiable user mandate. This satisfies SCA, gives you VoP-checkable payee data, and produces the audit trail PSD3/PSR liability regimes expect.
Auditable state machine for every transaction. Intent → grant → issue → authorize → settle → reconcile, each step idempotent and traceable. This is what Mastercard's Verifiable Intent framework standardizes at the network level — but you need it at the application level too, today.
EU-native operations from day one. EU data residency, GDPR by design, DORA-aligned operational resilience, partnered EMI/PI for the regulated leg. Retrofitting PSD3 compliance onto a US-built stack is a major program; building EU-native makes it a configuration change.

What should EU operators do in 2026?

Per Norton Rose Fulbright and SZA Schilling, Zutt & Anschütz, the practical 2026 checklist:

Gap analysis now. Map current compliance posture against PSD3/PSR requirements: fraud liability, VoP, SCA, data access, licensing scope.
VoP readiness. If not already implemented, start now. SEPA Instant Payments Regulation already requires it; PSR extends across all payment types.
Platform compliance assessment. E-commerce platforms and marketplaces should assess exposure to the new platform liability provisions.
Budget for 2027–2028. The 21-month transition sounds generous; complex programs (GDPR, PSD2, DORA) consistently take longer than expected.
Plan alongside parallel regimes. PSD3/PSR doesn't exist in isolation — implementation must coordinate with FIDA (Financial Data Access Regulation, still in trilogue), DORA (already in effect), the EU Instant Payments Regulation (already in effect), and MiCA (already in effect for stablecoins).

Where Ovra fits

Ovra is built EU-native: German entity, GDPR by design, EU data residency, AES-256-GCM card data encryption, an immutable Intent → Grant → Issue audit trail per transaction. The architecture maps directly to the cryptographic mandate pattern PSD3/PSR's authentication framework expects. As the regulated EMI partnership ships and Ovra moves from in-process sandbox issuer to real card networks, the developer interface stays identical — but the underlying legal posture is already aligned with how the EU is regulating non-human payment flows.

The 21-month PSR transition isn't slack. Builders who treat it as runway end up with a compliance project for 2027. Builders who design to the new framework now get a runtime advantage — and a regulator who understands what they're doing.

Frequently asked questions

When does PSD3 / PSR take effect?: Provisional political agreement was reached November 27, 2025. Official Journal publication is expected in H1 2026 (some observers say summer 2026 is realistic). After publication, the PSR enters force 20 days later with a 21-month transition before provisions apply — meaning earliest application is Q1 2028. PSD3 (a Directive) gives Member States 18 months to transpose into national law. The Verification of Payee obligation applies 24 months after entry into force.
What's the difference between PSD3 and PSR?: PSD3 is a Directive — Member States transpose it into national law. It governs licensing, prudential, and supervisory rules for payment institutions and e-money institutions, which are now merged into a single regime. PSR is a Regulation — directly applicable across the EU without transposition. PSR governs conduct rules: SCA, Verification of Payee, fraud liability, open banking access, and operational security. The split aims to reduce divergent national implementation that defined PSD2.
How does PSD3 / PSR affect AI agent payments?: Three impacts. First, mandatory Verification of Payee — payee name must match IBAN before transfer, applying to all payment types beyond the existing SEPA Instant requirement. Second, strengthened Strong Customer Authentication. Third, platform liability for fraud — extending fraud obligations beyond traditional PSPs to platforms and marketplaces. For agentic payment systems, this hardens the requirement for verifiable, attestable user consent before each transaction — exactly what protocols like AP2 and frameworks like Ovra's Intent → Grant → Issue are designed to provide.
Does PSD3 require AI agent payments to be authorized differently?: PSD3/PSR doesn't yet name AI agents explicitly, but its consent and authentication framework forces the issue. Regulation E in the US has the same gap: it's currently unresolved whether granting an AI agent access to payment credentials satisfies the 'demonstrable consent' requirement. Per Fenwick (April 2026), 'this evolving legal and regulatory environment may affect how and when agentic payment services are released to the broader public.' Cryptographically signed mandates (AP2) and audit trails (Mastercard Verifiable Intent) are emerging as the technical answer.
What is Verification of Payee under PSR?: Verification of Payee (VoP) is a mandatory check that the recipient name matches the recipient IBAN before a payment is initiated. It's already required for eurozone instant payments under the SEPA Instant Payments Regulation; PSR codifies VoP into primary legislation and extends it across all payment types. The corresponding liability regime applies 24 months after PSR entry into force. PSPs that fail to perform VoP can be liable for misdirected payments.
What is the commercial agent exemption status under PSR?: Uncertain as of May 2026. The European Commission's draft significantly narrowed the exemption, which would force many marketplaces and platforms to obtain payment institution licenses or partner with one. The European Council's later draft reverted the exemption closer to PSD2's position. The final scope will be settled when the Official Journal text publishes — expected H1 2026. Per Adyen's analysis, EBA will issue further guidelines on the exemption's application across Member States.
What does PSD3 mean for non-EU agentic payments companies?: Any company providing payment services to EU users must comply with PSD3/PSR — regardless of where the company is incorporated. Existing payment institution licenses under PSD2 are grandfathered for a defined period (the Council text proposes 2.5 years), but firms must submit an application demonstrating PSD3 compliance, including alignment with the Digital Operational Resilience Act (DORA). For US-based AI platforms expanding agent payments into the EU, this is a substantive compliance program — not a checkbox.