Enhanced Cybersecurity for SNAP Act of 2026

This Act may be cited as the Enhanced Cybersecurity for SNAP Act of 2026.

Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)) is amended by adding at the end the following:

In this paragraph:

The term chip-enabled, with respect to a payment card, means a payment card that uses industry standard secure payment technology, as identified by the Administrator of the Food and Nutrition Service in consultation with the Secretary of the Treasury and the Director of the National Institute of Standards and Technology, that—

(aa) provides for secure card-based payment; and

(bb) is resistant to cloning.

The Administrator of the Food and Nutrition Service, in consultation with the Secretary of the Treasury and the Accredited Standards Committee X9, shall consider whether the secure payment technology described in subclause (I) should meet the industry standards for contact and contactless payments.

The term ‘mobile friendly’ has the meaning given the term in section 3559(b) of title 44, United States Code.

The term NIST PIN and password standards means the PIN and password standards described in Special Publication 800–63B entitled Digital Identity Guidelines (or a successor document) of the National Institute of Standards and Technology.

The term PIN has the meaning given the term personal identification number (PIN) in section 271.2 of title 7, Code of Federal Regulations (or successor regulations).

Not later than 2 years after the date of enactment of this paragraph, the Secretary shall promulgate, and every 5 years thereafter, the Secretary shall review and update as necessary, cybersecurity and digital service regulations relating to EBT cards and mobile technologies under the supplemental nutrition assistance program, including, at a minimum, to ensure that cybersecurity measures for EBT cards and mobile technologies keep pace with security safeguards used by the private sector and required by Federal agencies for credit, debit, and other payment cards and mobile technologies.

The Secretary shall ensure that the cybersecurity and digital service regulations described in clause (i) require the following:

(aa) Each State shall operate the user interfaces listed on the list of required user interfaces maintained by the Secretary under item (dd)(AA), in accordance with this subclause, 1 or more user interfaces of which households in the State may, at the election of the applicable household, use to manage the EBT account of the applicable household.

(AA) A State may operate other user interfaces under item (aa) in addition to the required user interfaces on the list maintained by the Secretary under item (dd)(AA).

(BB) Any web-based online portal operated by a State as a user interface shall be mobile friendly.

(cc) Each user interface offered by a State under items (aa) and (bb), as applicable, shall—

(AA) provide information in each language in which the State agency is required to make material available pursuant to section 272.4(b) of title 7, Code of Federal Regulations (or successor regulations);

(BB) be available to households at least 99 percent of the time; and

(CC) include any other features required by the Secretary.

(AA) The Secretary shall maintain a list of required user interfaces for purposes of item (aa), which may include a web-based online portal and a mobile application.

(BB) The list under subitem (AA) shall include an application programming interface through which at least 1 user interface offered by a State under item (aa) allows households to delegate access to some or all account features identified by the Secretary to third-party provided software. No fee shall be charged to any party for the use of that application programming interface.

(CC) During the 10-year period following the date on which the regulations promulgated pursuant to clause (i) become final, unless the Secretary extends that period, the Secretary shall maintain on the list under subitem (AA) the following user interfaces: text message, voice telephone service, and a nondigital user interface that does not require the use of a phone or computer by the household.

(aa) Each State shall provide households on an opt-in basis—

(AA) through each digital user interface offered under subclause (I), timely electronic notice of transactions using the EBT account of the household; and

(BB) through each user interface offered under subclause (I), access to, including the ability to search, historical transactions for not less than the preceding 12 months.

(bb) Transaction information under subitems (AA) and (BB) of item (aa) shall include the amount of the transaction, the merchant for the transaction, the city and State of the merchant for an in-person transaction, and the delivery address or collection address for an online transaction.

(cc) Each State shall offer households the ability, through each user interface offered under subclause (I), to report a fraudulent transaction to the State.

(dd) A State shall not require a household to respond to or acknowledge a notice of transaction delivered pursuant to item (aa)(AA).

(ee) A State shall notify any household that has reported an instance of EBT card skimming or fraud, or is otherwise identified as being a victim of EBT card skimming or fraud, of any State or Federal funds that may be reimbursed if the household experiences fraud again.

(III) Each State shall provide households issued an EBT card the ability, through each user interface offered under subclause (I) to check the enrollment status of the household, including the date on which the household is required to apply for recertification.

(IV) Not later than 2 years after the date on which the regulations promulgated pursuant to clause (i) become final, States shall begin issuing chip-enabled EBT cards.

(V) Not later than 4 years after the date on which the regulations promulgated pursuant to clause (i) become final, States may not issue new EBT cards with magnetic stripes.

(VI) Not later than 5 years after the date on which the regulations promulgated pursuant to clause (i) become final, States shall be required to reissue any existing valid EBT cards with magnetic stripes as chip-enabled EBT cards without magnetic stripes.

(VII) In the case of a chip-enabled EBT card reissued pursuant to any of subclauses (IV) through (VI), absent suspicion of fraud, as applicable, a State shall—

(aa) reissue a new chip-enabled EBT card; and

(bb) deactivate the current chip-enabled EBT card on the date that is the earlier of—

(AA) the date on which the new chip-enabled EBT card is activated; and

(BB) 60 days after the date on which the new chip-enabled EBT card is sent to the household.

Under the cybersecurity regulations described in clause (i), all EBT cards, except EBT cards issued to victims of a disaster pursuant to section 5(h) or solely for benefits under the summer electronic benefits transfer for children program established under section 13A of the Richard B. Russell National School Lunch Act (42 U.S.C. 1762), issued during the 5-year period following the deadline for carrying out clause (ii)(VI) shall be chip-enabled, unless the Secretary extends that period.

The cybersecurity and digital service regulations described in clause (i) shall supersede any regulations promulgated under paragraph (2) of section 501(a) of division HH of the Consolidated Appropriations Act, 2023 (7 U.S.C. 2016a(a)) (as in effect on the day before the date of enactment of the Enhanced Cybersecurity for SNAP Act of 2026).

Each State upgrading EBT cards to comply with the regulations promulgated under subparagraph (B)(i) shall receive reimbursement from the Secretary in an amount determined by the Secretary to cover all reasonable costs incurred by the State, including—

(i) the 1-time up-front costs paid by the State to card vendors;

(ii) the additional annual fees associated with chip-enabled cards paid by States to card vendors; and

(iii) postage or other delivery-related costs.

Beginning 60 days after the date of enactment of this paragraph, a State agency may not require, with respect to a PIN for use of an EBT card or a password for access to an online account or mobile application managing the EBT card—

(i) that the PIN or password be periodically changed in circumstances that are prohibited by the NIST PIN and password standards; or

(ii) that the password meet complexity requirements that are prohibited by the NIST PIN and password standards.

In this subparagraph:

The term administering entity means an entity awarded a grant under clause (ii) to provide subgrants to eligible entities.

The term eligible entity means—

(aa) an entity described in paragraph (1) or (3) of section 3(o) that—

(AA) is authorized to participate in the supplemental nutrition assistance program under section 9;

(BB) does not have payment terminals that accept chip-enabled EBT cards; and

(CC) is located in an area with limited grocery access, as determined by the Secretary; and

(bb) an entity described in paragraph (2), (4), or (5) of section 3(o) that meets the requirements described in subitems (AA) and (BB) of item (aa).

The Secretary shall establish a grant program to award a grant to an administering entity to provide subgrants to eligible entities to upgrade to chip-compatible payment terminals that support contact and contactless payment card technology.

The Secretary shall—

(i) collect, and publish on the website of the Department of Agriculture, data on—

(I) the length of time each user interface offered by each State pursuant to subparagraph (B)(ii)(I) was unavailable for use, including due to technical problems or maintenance needs; and

(II) cybersecurity measures adopted for EBT cards in each State; and

(ii) maintain and annually update the data collected under clause (i) to support States in implementing any regulations promulgated pursuant to subparagraph (B)(i).

Not later than 1 year after the date of enactment of this paragraph, and every 2 years thereafter, the Secretary shall submit to the Committees on Appropriations and Agriculture, Nutrition, and Forestry of the Senate and the Committees on Appropriations and Agriculture of the House of Representatives, and make publicly available on the website of the Department of Agriculture, a report that—

(I) identifies trends relating to the theft of benefits, including the frequency of theft of benefits, the locations at which EBT cards are compromised, and the method by which EBT cards are compromised;

(II) evaluates the effectiveness of existing cybersecurity regulations for the supplemental nutrition assistance program, including identifying ineffective measures and the compliance burden borne by individual benefit recipients;

(III) describes the efforts of States—

(aa) to update cybersecurity measures for EBT cards; and

(bb) to reimburse stolen benefits; and

(IV) examines usability issues of EBT cards, including issues that present barriers to households using benefits or affect fraud prevention goals.

The report under clause (i) may include a nonpublicly available annex containing classified or law enforcement-sensitive information and any identifying merchant information.

.

Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)) (as amended by section 2) is amended by adding at the end the following:

In promulgating and updating, as necessary, the regulations under paragraph (15)(B)(i), the Secretary shall, with respect to online transactions using EBT cards (or any successor financial product used for a substantially similar purpose)—

(i) require security measures that—

(I) are effective in detecting and preventing theft of benefits through online transactions, including the theft of data from online merchants that may compromise the ability of a household to use benefits in transactions with other merchants, either online or in-person; and

(II) prevent sensitive data from being stolen during online transactions and securely manage sensitive data generated by online transactions, including through cybersecurity enhancements for online retailers;

(ii) establish standard reporting methods for States to collect and share data with the Secretary on the scope of benefits and data being stolen through online transactions; and

(iii) in carrying out clauses (i) and (ii), take into consideration the feasibility of cost, availability, and implementation for States.

In carrying out subparagraph (A), the Secretary shall consult with the Director of the Administration for Children and Families, the Attorney General of the United States, State agencies, retail food stores, and EBT contractors—

(i) on the measures, methods, and considerations under that subparagraph; and

(ii) to determine—

(I) how benefits are being stolen and sensitive data is being compromised through online transactions; and

(II) how those stolen benefits and data are being used.

Not later than 3 years after the date of enactment of this paragraph, and every 2 years thereafter, the Secretary shall submit to the Committee on Agriculture, Nutrition, and Forestry of the Senate and the Committee on Agriculture of the House of Representatives a report that includes—

(I) to the maximum extent practicable, information on the frequency of theft of benefits, the number of reported thefts from online transactions, the amount of benefits stolen through online transactions, and the online retailers most commonly compromised;

(II) a description of the measures and methods developed, and considerations taken, under subparagraph (A);

(III) the determinations made under subparagraph (B)(ii); and

(IV) recommendations on how to consistently detect, track, report, and prevent theft of benefits, including the theft of data described in subparagraph (A)(i)(I).

The report under clause (i) may include a nonpublicly available confidential annex containing any identifying merchant information.

.

Section 7(h)(7) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)(7)) is amended—

(1) by striking Regulations and inserting the following:

Regulations

(1) ; and

(2) by adding at the end the following:

Not later than 180 days after the date of enactment of the Enhanced Cybersecurity for SNAP Act of 2026, the Secretary shall promulgate regulations requiring the following:

(i) If an EBT card is damaged, no longer functions properly, is stolen, or is frozen due to fraud, the applicable State shall take the necessary steps to ensure that the household receives a replacement card, either by mail or in person, as selected by the household, not later than 3 business days after the household submits to the State a request for a replacement EBT card.

(ii) A State shall not require, but shall offer as an option, in-person collection of a new or replacement EBT card.

(2) .

Section 7(h)(8)(A) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)(8)(A)) is amended—

(1) by striking A State agency and inserting the following:

Except as provided in clause (ii), a State agency

(1) ; and

(2) by adding at the end the following:

Beginning 60 days after the date of enactment of the Enhanced Cybersecurity for SNAP Act of 2026, a State agency may not collect a charge under clause (i) if the replacement of the EBT card is due to—

(I) the EBT card malfunctioning;

(II) suspected or reported fraud relating to that EBT card by an individual outside of the household to which the EBT card belongs;

(III) the expiration of the EBT card; or

(IV) required replacement of the EBT card in compliance with regulations promulgated pursuant to paragraph (15)(B).

(2) .

Section 9(a) of the Food and Nutrition Act of 2008 (7 U.S.C. 2018(a)) is amended—

(1) in paragraph (2)—

(A) by striking (2) The Secretary and inserting the following:

The Secretary

(A) ; and

(B) by indenting the margins of subparagraphs (A) and (B) appropriately;

(2) by indenting the margin of paragraph (3) appropriately; and

(3) by adding at the end the following:

Beginning not later than 180 days after the date on which the regulations promulgated pursuant to section 7(h)(15)(B)(i) become final, the Secretary shall require retail food stores and wholesale food concerns seeking authorization or reauthorization to accept and redeem benefits under the supplemental nutrition assistance program to have a chip-enabled (as defined in section 7(h)(15)(A)) payment terminal at each retail location of the retail food store or wholesale food concern.

(3) .

Not later than 1 year after the date of enactment of this Act, the Secretary of Agriculture shall submit to the Committees on Appropriations and Agriculture, Nutrition, and Forestry of the Senate and the Committees on Appropriations and Agriculture of the House of Representatives, and make publicly available on the website of the Department of Agriculture, a report on the security of EBT cards (as defined in section 3 of the Food and Nutrition Act of 2008 (7 U.S.C. 2012)) issued in the Commonwealth of Puerto Rico, including—

(1) the resistance of those EBT cards to cloning; and

(2) if appropriate, recommendations for improving the security of the electronic benefit transfer system against EBT card cloning-based fraud.

The report under subsection (a) may include a nonpublicly available annex containing classified or law enforcement-sensitive information.

Section 501 of division HH of the Consolidated Appropriations Act, 2023 (7 U.S.C. 2016a), is amended—

(1) in subsection (a)—

(A) by striking paragraphs (1) and (2);

(B) by redesignating paragraphs (3) through (5) as paragraphs (1) through (3), respectively; and

(C) in paragraph (3) (as so redesignated)—

(i) in subparagraph (B), by adding and at the end;

(ii) by striking subparagraph (C); and

(iii) by redesignating subparagraph (D) as subparagraph (C); and

(2) in subsection (b)—

(A) in paragraph (1)—

(i) in subparagraph (A)(vi), by striking measures and all that follows through (a)(1) and inserting measures;

(ii) in subparagraph (B), by adding and at the end;

(iii) in subparagraph (C), by striking and at the end; and

(iv) by striking subparagraph (D); and

(B) in paragraph (3), by striking subsection (a)(3) and inserting subsection (a)(1).