HR 7658
Enhanced Cybersecurity for SNAP Act of 2026
Take action
Record your position on this measure.
Sign in to record your position, submit testimony, or contact your legislator.
Sign in to take action- Introduced
- Passed House
- Passed Senate
- To President
- Became Law
Bill overview
The Enhanced Cybersecurity for SNAP Act of 2026 aims to improve the security of the Supplemental Nutrition Assistance Program (SNAP) by requiring the Department of Agriculture to establish cybersecurity regulations for EBT cards and mobile technologies. The bill mandates the use of chip-enabled EBT cards, updates existing regulations to address online transaction security and fraud prevention, and establishes a grant program to help retailers upgrade to chip-compatible payment terminals. It also includes provisions to ensure timely replacement of damaged or lost EBT cards and requires regular reporting on EBT card security, particularly in Puerto Rico.
Key provisions
- Requires the Department of Agriculture to develop and update cybersecurity regulations for EBT cards and mobile technologies.
- Mandates the issuance of chip-enabled EBT cards and a phased transition away from magnetic stripe cards.
- Establishes a grant program to assist retailers in upgrading to chip-enabled payment terminals.
- Requires states to offer timely electronic notice of transactions to recipients and provide access to historical transaction data.
- Addresses online transaction security by requiring measures to prevent theft and manage sensitive data.
- Creates a requirement for retailers participating in SNAP to use chip-enabled payment terminals.
- Establishes a process for replacing damaged or lost EBT cards within three business days.
- Prohibits charging fees for EBT card replacement under certain circumstances.
Who is affected
Sponsors
Official sponsors from legislative records.
Primary sponsor
Cosponsors
Arguments in favor
Reasons to support this legislation.
No arguments in favor have been submitted.
Submit yoursArguments opposed
Reasons to oppose this legislation.
No arguments opposed have been submitted.
Submit yoursRead the latest version inline or switch to a previous version.
119th CONGRESS — 2d Session
H. R. 7658
IN THE HOUSE OF REPRESENTATIVES
A BILL
To amend the Food and Nutrition Act of 2008 to require the promulgation of cybersecurity and digital service regulations relating to the use of EBT cards under the supplemental nutrition assistance program, and for other purposes.
This Act may be cited as the Enhanced Cybersecurity for SNAP Act of 2026
.
Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)) is amended by adding at the end the following:
In this paragraph:
provides for secure card-based payment; and
is resistant to cloning.
The Administrator of the Food and Nutrition Service, in consultation with the Secretary of the Treasury and the Accredited Standards Committee X9, shall consider whether the secure payment technology described in subclause (I) should meet the industry standards for contact and contactless payments.
The term ‘mobile friendly’ has the meaning given the term in section 3559(b) of title 44, United States Code.
The term NIST PIN and password standards
means the PIN and password standards described in Special Publication 800–63B entitled Digital Identity Guidelines
(or a successor document) of the National Institute of Standards and Technology.
The term PIN
has the meaning given the term personal identification number (PIN)
in section 271.2 of title 7, Code of Federal Regulations (or successor regulations).
Not later than 2 years after the date of enactment of this paragraph, the Secretary shall promulgate, and every 5 years thereafter, the Secretary shall review and update as necessary, cybersecurity and digital service regulations relating to EBT cards and mobile technologies under the supplemental nutrition assistance program, including, at a minimum, to ensure that cybersecurity measures for EBT cards and mobile technologies keep pace with security safeguards used by the private sector and required by Federal agencies for credit, debit, and other payment cards and mobile technologies.
The Secretary shall ensure that the cybersecurity and digital service regulations described in clause (i) require the following:
Each State shall operate the user interfaces listed on the list of required user interfaces maintained by the Secretary under item (dd)(AA), in accordance with this subclause, 1 or more user interfaces of which households in the State may, at the election of the applicable household, use to manage the EBT account of the applicable household.
A State may operate other user interfaces under item (aa) in addition to the required user interfaces on the list maintained by the Secretary under item (dd)(AA).
Any web-based online portal operated by a State as a user interface shall be mobile friendly.
Each user interface offered by a State under items (aa) and (bb), as applicable, shall—
provide information in each language in which the State agency is required to make material available pursuant to section 272.4(b) of title 7, Code of Federal Regulations (or successor regulations);
be available to households at least 99 percent of the time; and
The Secretary shall maintain a list of required user interfaces for purposes of item (aa), which may include a web-based online portal and a mobile application.
The list under subitem (AA) shall include an application programming interface through which at least 1 user interface offered by a State under item (aa) allows households to delegate access to some or all account features identified by the Secretary to third-party provided software. No fee shall be charged to any party for the use of that application programming interface.
During the 10-year period following the date on which the regulations promulgated pursuant to clause (i) become final, unless the Secretary extends that period, the Secretary shall maintain on the list under subitem (AA) the following user interfaces: text message, voice telephone service, and a nondigital user interface that does not require the use of a phone or computer by the household.
Each State shall provide households on an opt-in basis—
Each State shall offer households the ability, through each user interface offered under subclause (I), to report a fraudulent transaction to the State.
A State shall not require a household to respond to or acknowledge a notice of transaction delivered pursuant to item (aa)(AA).
A State shall notify any household that has reported an instance of EBT card skimming or fraud, or is otherwise identified as being a victim of EBT card skimming or fraud, of any State or Federal funds that may be reimbursed if the household experiences fraud again.
Each State shall provide households issued an EBT card the ability, through each user interface offered under subclause (I) to check the enrollment status of the household, including the date on which the household is required to apply for recertification.
Not later than 2 years after the date on which the regulations promulgated pursuant to clause (i) become final, States shall begin issuing chip-enabled EBT cards.
Not later than 4 years after the date on which the regulations promulgated pursuant to clause (i) become final, States may not issue new EBT cards with magnetic stripes.
Not later than 5 years after the date on which the regulations promulgated pursuant to clause (i) become final, States shall be required to reissue any existing valid EBT cards with magnetic stripes as chip-enabled EBT cards without magnetic stripes.
In the case of a chip-enabled EBT card reissued pursuant to any of subclauses (IV) through (VI), absent suspicion of fraud, as applicable, a State shall—
deactivate the current chip-enabled EBT card on the date that is the earlier of—
60 days after the date on which the new chip-enabled EBT card is sent to the household.
Under the cybersecurity regulations described in clause (i), all EBT cards, except EBT cards issued to victims of a disaster pursuant to section 5(h) or solely for benefits under the summer electronic benefits transfer for children program established under section 13A of the Richard B. Russell National School Lunch Act (42 U.S.C. 1762), issued during the 5-year period following the deadline for carrying out clause (ii)(VI) shall be chip-enabled, unless the Secretary extends that period.
The cybersecurity and digital service regulations described in clause (i) shall supersede any regulations promulgated under paragraph (2) of section 501(a) of division HH of the Consolidated Appropriations Act, 2023 (7 U.S.C. 2016a(a)) (as in effect on the day before the date of enactment of the
Enhanced Cybersecurity for SNAP Act of 2026
).Each State upgrading EBT cards to comply with the regulations promulgated under subparagraph (B)(i) shall receive reimbursement from the Secretary in an amount determined by the Secretary to cover all reasonable costs incurred by the State, including—
the 1-time up-front costs paid by the State to card vendors;
the additional annual fees associated with chip-enabled cards paid by States to card vendors; and
postage or other delivery-related costs.
Beginning 60 days after the date of enactment of this paragraph, a State agency may not require, with respect to a PIN for use of an EBT card or a password for access to an online account or mobile application managing the EBT card—
In this subparagraph:
The term administering entity means an entity awarded a grant under clause (ii) to provide subgrants to eligible entities.
The term eligible entity means—
does not have payment terminals that accept chip-enabled EBT cards; and
is located in an area with limited grocery access, as determined by the Secretary; and
an entity described in paragraph (2), (4), or (5) of section 3(o) that meets the requirements described in subitems (AA) and (BB) of item (aa).
The Secretary shall establish a grant program to award a grant to an administering entity to provide subgrants to eligible entities to upgrade to chip-compatible payment terminals that support contact and contactless payment card technology.
The Secretary shall—
the length of time each user interface offered by each State pursuant to subparagraph (B)(ii)(I) was unavailable for use, including due to technical problems or maintenance needs; and
identifies trends relating to the theft of benefits, including the frequency of theft of benefits, the locations at which EBT cards are compromised, and the method by which EBT cards are compromised;
evaluates the effectiveness of existing cybersecurity regulations for the supplemental nutrition assistance program, including identifying ineffective measures and the compliance burden borne by individual benefit recipients;
describes the efforts of States—
to update cybersecurity measures for EBT cards; and
to reimburse stolen benefits; and
examines usability issues of EBT cards, including issues that present barriers to households using benefits or affect fraud prevention goals.
The report under clause (i) may include a nonpublicly available annex containing classified or law enforcement-sensitive information and any identifying merchant information.
Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)) (as amended by section 2) is amended by adding at the end the following:
In promulgating and updating, as necessary, the regulations under paragraph (15)(B)(i), the Secretary shall, with respect to online transactions using EBT cards (or any successor financial product used for a substantially similar purpose)—
are effective in detecting and preventing theft of benefits through online transactions, including the theft of data from online merchants that may compromise the ability of a household to use benefits in transactions with other merchants, either online or in-person; and
prevent sensitive data from being stolen during online transactions and securely manage sensitive data generated by online transactions, including through cybersecurity enhancements for online retailers;
establish standard reporting methods for States to collect and share data with the Secretary on the scope of benefits and data being stolen through online transactions; and
in carrying out clauses (i) and (ii), take into consideration the feasibility of cost, availability, and implementation for States.
In carrying out subparagraph (A), the Secretary shall consult with the Director of the Administration for Children and Families, the Attorney General of the United States, State agencies, retail food stores, and EBT contractors—
how benefits are being stolen and sensitive data is being compromised through online transactions; and
how those stolen benefits and data are being used.
Not later than 3 years after the date of enactment of this paragraph, and every 2 years thereafter, the Secretary shall submit to the Committee on Agriculture, Nutrition, and Forestry of the Senate and the Committee on Agriculture of the House of Representatives a report that includes—
to the maximum extent practicable, information on the frequency of theft of benefits, the number of reported thefts from online transactions, the amount of benefits stolen through online transactions, and the online retailers most commonly compromised;
a description of the measures and methods developed, and considerations taken, under subparagraph (A);
the determinations made under subparagraph (B)(ii); and
recommendations on how to consistently detect, track, report, and prevent theft of benefits, including the theft of data described in subparagraph (A)(i)(I).
Section 7(h)(7) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)(7)) is amended—
by striking Regulations
and inserting the following:
Regulations
by adding at the end the following:
Not later than 180 days after the date of enactment of the
Enhanced Cybersecurity for SNAP Act of 2026
, the Secretary shall promulgate regulations requiring the following:If an EBT card is damaged, no longer functions properly, is stolen, or is frozen due to fraud, the applicable State shall take the necessary steps to ensure that the household receives a replacement card, either by mail or in person, as selected by the household, not later than 3 business days after the household submits to the State a request for a replacement EBT card.
A State shall not require, but shall offer as an option, in-person collection of a new or replacement EBT card.
Section 7(h)(8)(A) of the Food and Nutrition Act of 2008 (7 U.S.C. 2016(h)(8)(A)) is amended—
A State agencyand inserting the following:
Except as provided in clause (ii), a State agency
by adding at the end the following:
Beginning 60 days after the date of enactment of the
Enhanced Cybersecurity for SNAP Act of 2026
, a State agency may not collect a charge under clause (i) if the replacement of the EBT card is due to—Section 9(a) of the Food and Nutrition Act of 2008 (7 U.S.C. 2018(a)) is amended—
in paragraph (2)—
(2) The Secretaryand inserting the following:
The Secretary
by indenting the margins of subparagraphs (A) and (B) appropriately;
by indenting the margin of paragraph (3) appropriately; and
Beginning not later than 180 days after the date on which the regulations promulgated pursuant to section 7(h)(15)(B)(i) become final, the Secretary shall require retail food stores and wholesale food concerns seeking authorization or reauthorization to accept and redeem benefits under the supplemental nutrition assistance program to have a chip-enabled (as defined in section 7(h)(15)(A)) payment terminal at each retail location of the retail food store or wholesale food concern.
the resistance of those EBT cards to cloning; and
if appropriate, recommendations for improving the security of the electronic benefit transfer system against EBT card cloning-based fraud.
The report under subsection (a) may include a nonpublicly available annex containing classified or law enforcement-sensitive information.
Section 501 of division HH of the Consolidated Appropriations Act, 2023 (7 U.S.C. 2016a), is amended—
in subsection (a)—
by redesignating paragraphs (3) through (5) as paragraphs (1) through (3), respectively; and
in paragraph (3) (as so redesignated)—
in subparagraph (B), by adding and
at the end;
by striking subparagraph (C); and
by redesignating subparagraph (D) as subparagraph (C); and
in subsection (b)—
in paragraph (1)—
in subparagraph (A)(vi), by striking measures
and all that follows through (a)(1)
and inserting measures
;
in subparagraph (B), by adding and
at the end;
in subparagraph (C), by striking and
at the end; and
by striking subparagraph (D); and
in paragraph (3), by striking subsection (a)(3)
and inserting subsection (a)(1)
.