Servicemember Payment Data Privacy and Security Act

Not later than 180 days after the date of the enactment of this section, the Secretary of Defense shall complete a review of all retailers to determine if such retailers use covered equipment, systems, or services as a substantial or essential component of the performance of a contract to provide payment processing equipment, systems, or services for the Department of Defense.

Not later than 90 days after completing the review required by subsection (a), the Secretary of Defense shall issue guidance prohibiting the use of covered equipment, systems, or services by a retailer in a contract with the Department of Defense. Such policy and guidance shall direct the modification or termination of such a contract unless the retailer for such contract ceases use of covered equipment, systems, or services in a timely manner.

Effective January 1, 2027, the Secretary of Defense may not enter into a contract for payment processing equipment, systems, or services with a retailer that uses covered equipment, systems, or services as a substantial or essential component of the performance of such contract.

Not later than one year after the date of the enactment of this section, the Secretary of Defense shall submit to the Committees on Armed Services of the House of Representatives and the Senate a written report on the implementation on the requirements of this section.

In this section:

The term country of concern means—

(A) China;

(B) Russia;

(C) the Islamic Republic of Iran;

(D) North Korea; and

(E) any other country designated by the Secretary of Defense, as posing a significant risk to the national security of the United States.

The term covered equipment, system, or service —

(A) means a payment processing equipment, system, or service for which the application processor, source code, secure processor, or secure firmware is directly or indirectly developed, manufactured, provided, owned, controlled, or operated by—

(i) an entity organized under the laws of a country of concern;

(ii) an entity owned or controlled by the government of a country of concern;

(iii) an entity subject to the direction, jurisdiction, or control of the government, military, or intelligence services of a country of concern;

(iv) any subsidiary, affiliate, or successor entity of an entity described in clauses (i) through (iii); or

(v) an entity that the Secretary of Defense reasonably believes to be an entity owned or controlled by, or otherwise connected entity owned or controlled by a country of concern; and

(B) includes payment processing equipment, systems, or services substantially comprised of components, software, or technology supplied by an entity described in any of clauses (i) through (v) of subparagraph (A).

The term electronic fund transfer —

(A) means any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal (as defined in section 903 of the Electronic Fund Transfer Act (15 U.S.C. 1693a)), telephone, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account; and

(B) includes point-of-sale transfers, automated teller machine transactions, and direct deposits or withdrawals of funds from an account.

The term payment processing equipment, system, or service means—

(A) a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers; or

(B) an electronic device, other than a telephone operated by a consumer, through which a consumer may initiate an electronic fund transfer.

The term retailer has the meaning given in section 4664 of title 10, United States Code.