[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7316 Introduced in House (IH)]
<DOC>
119th CONGRESS
2d Session
H. R. 7316
To amend the Food and Nutrition Act of 2008 to require the promulgation
of cybersecurity regulations and implementation of EMV technology
relating to the use of EBT cards under the supplemental nutrition
assistance program, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 2, 2026
Ms. Malliotakis introduced the following bill; which was referred to
the Committee on Agriculture
_______________________________________________________________________
A BILL
To amend the Food and Nutrition Act of 2008 to require the promulgation
of cybersecurity regulations and implementation of EMV technology
relating to the use of EBT cards under the supplemental nutrition
assistance program, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SNAP Payment Security and Fraud
Prevention Act of 2026''.
SEC. 2. EXPANDED INVESTIGATIVE AUTHORITY OF THE DEPARTMENT OF
AGRICULTURE INSPECTOR GENERAL.
Section 16 of the Food and Nutrition Act of 2008 (7 U.S.C. 2025) is
amended by adding at the end the following:
``(i) Office of Inspector General Coordination Authority.--
``(1) The Inspector General of the Department of
Agriculture shall have full authority to investigate and
coordinate multi-jurisdictional efforts to prevent, detect, and
prosecute theft, misuse, or fraudulent accessing of
supplemental nutrition assistance program benefits, including
authority--
``(A) to investigate cyber-enabled benefit theft,
including skimming, cloning, phishing, spoofing, and
unauthorized access to EBT systems;
``(B) to issue subpoenas, executing warrants, and
initiating civil or criminal referrals;
``(C) to coordinate with the Department of Justice,
the Federal Bureau of Investigation, the Department of
Homeland Security, the Secret Service, State and local
law enforcement, and financial institutions;
``(D) to request and receive data from State EBT
processors and contracted vendors for investigative
purposes; and
``(E) to participate in interagency cyber task
forces or fraud detection initiatives.
``(2) The Secretary of Agriculture may issue rules, and
allocate funds, necessary to support the activities of the
Inspector General under this subsection.''.
SEC. 3. CIVIL PENALTY FOR THEFT OF SNAP BENEFITS.
Section 15 of the Food and Nutrition Act of 2008 (7 U.S.C. 2024) is
amended by adding at the end the following:
``(g) Civil Penalty for Theft of Supplemental Nutrition Assistance
Program Benefits.--
``(1) Any person who knowingly accesses, uses, or transfers
supplemental nutrition assistance program benefits issued to a
household without authorization shall be liable to the United
States for a civil penalty in an amount equal to twice the
value of such benefits lost as a result of such conduct.
``(2) The Secretary may assess and enforce this penalty
through an administrative proceeding under section 14 or
through a civil action in an appropriate district court of the
United States.
``(3) Funds recovered under this subsection shall be used,
as determined by the Secretary to offset--
``(A) the cost of reimbursing households for such
benefits lost as a result of the conduct described in
paragraph (1); and
``(B) the cost of the use of the enhanced
investigatory authority of the Inspector General of the
Department of Agriculture.
``(4) A civil penalty imposed under this subsection shall
be in addition to any other civil or criminal penalty imposed
under any other provision of this Act or under any other
provision of law.''.
SEC. 4. ENHANCED CYBERSECURITY FOR EBT CARDS.
Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)) is amended by adding at the end the following:
``(15) Cybersecurity of ebt cards.--
``(A) Definitions.--In this paragraph:
``(i) Chip-enabled.--
``(I) In general.--The term `chip-
enabled', with respect to a payment
card, means a payment card that uses
industry standard secure payment
technology, as identified by the
Administrator of the Food and Nutrition
Service, in consultation with the
Secretary of the Treasury and the
Director of the National Institute of
Standards and Technology, that--
``(aa) provides for secure
card-based payment; and
``(bb) is resistant to
cloning.
``(II) EMV chip.--The Administrator
of the Food and Nutrition Service, in
consultation with the Secretary of the
Treasury and the Director of the
National Institute of Standards and
Technology, shall consider whether the
secure payment technology described in
subclause (I) should meet the standards
published by EMVCo for contact and
contact less payments.
``(ii) Mobile friendly.--The term `mobile
friendly' has the meaning given the term in
section 3559(b) of title 44, United States
Code.
``(iii) NIST pin and password standards.--
The term `NIST PIN and password standards'
means the PIN and password standards described
in Special Publication 800-63B entitled
`Digital Identity Guidelines' (or a successor
document) of the National Institute of
Standards and Technology.
``(iv) PIN.--The term `PIN' has the meaning
given the term `personal identification number
(PIN)' in section 271.2 of title 7, Code of
Federal Regulations (or successor regulations).
``(B) Regulations.--
``(i) In general.--Not later than 2 years
after the date of the effective date of this
paragraph, the Secretary shall promulgate, and
every 5 years thereafter, the Secretary shall
review and update as necessary, cybersecurity
and digital service regulations relating to EBT
cards and mobile payments under the
supplemental nutrition assistance program,
including, at a minimum, to ensure that
cybersecurity measures for EBT cards and mobile
payments keep pace with security safeguards
used by the private sector and required by
Federal agencies for credit, debit, and other
payment cards and mobile payments.
``(ii) Requirements.--The Secretary shall
ensure that the cybersecurity and digital
service regulations described in clause (i)
require the following:
``(I)(aa) Each State shall operate
the user interfaces listed on the list
of required user interfaces maintained
by the Secretary under item (dd)(AA),
in accordance with this subclause, 1 or
more user interfaces of which
households in the State may, at the
election of the applicable household,
use to manage the EBT account of the
applicable household.
``(bb)(AA) A State may operate
other user interfaces under item (aa)
in addition to the required user
interfaces on the list maintained by
the Secretary under item (dd)(AA).
``(BB) Any web-based online portal
operated by a State as a user interface
shall be mobile friendly.
``(cc) Each user interface offered
by a State under items (aa) and (bb),
as applicable, shall--
``(AA) provide information
in each language in which the
State agency is required to
make material available
pursuant to section 272.4(b) of
title 7, Code of Federal
Regulations (or successor
regulations);
``(BB) be available to
households at least 99 percent
of the time; and
``(CC) include any other
features required by the
Secretary.
``(dd)(AA) The Secretary shall
maintain a list of required user
interfaces for purposes of item (aa),
which may include a web-based online
portal and a mobile application.
``(BB) The list under subitem (AA)
shall include an application
programming interface through which at
least 1 user interface offered by a
State under item (aa) allows households
to delegate access to some or all
account features identified by the
Secretary to third-party provided
software. No fee shall be charged to
any party for the use of that
application programming interface.
``(CC) During the 10-year period
following the date on which the
regulations promulgated pursuant to
clause (i) become final, unless the
Secretary extends that period, the
Secretary shall maintain on the list
under subitem (AA) the following user
interfaces: text message, voice
telephone service, and a nondigital
user interface that does not require
the use of a phone or computer by the
household.
``(II)(aa) Each State shall provide
households on an opt-in basis--
``(AA) through each digital
user interface offered under
subclause (I), timely
electronic notice of
transactions using the EBT
account of the household; and
``(BB) through each user
interface offered under
subclause (I), access to,
including the ability to
search, historical transactions
for not less than the preceding
12 months.
``(bb) Transaction information
under subitems (AA) and (BB) of item
(aa) shall include the amount of the
transaction, the merchant for the
transaction, the city and State of the
merchant for an in-person transaction,
and the delivery address or collection
address for an online transaction.
``(cc) Each State shall offer
households the ability, through each
user interface offered under subclause
(I), to report a fraudulent transaction
to the State.
``(dd) A State shall not require a
household to respond to or acknowledge
a notice of transaction delivered
pursuant to item (aa)(AA).
``(ee) A State shall notify a
household that has received
reimbursement for EBT card fraud
pursuant to section 501(b)(2) of
division HH of the Consolidated
Appropriations Act, 2023 (7 U.S.C.
2016a(b)(2)), of the ability of the
household to opt in to restricting the
use of the EBT card as described in
subclause (III) and of the remaining
funds that may be reimbursed if the
household experiences fraud again.
``(III) Each State shall provide
households issued an EBT card the
ability, through each user interface
offered under subclause (I)--
``(aa) to make the use of
that EBT card for online
transactions workable only
through virtual card numbers or
other tokenization technology,
such as through a mobile
payment service, which shall
require a different virtual
card number for each individual
online merchant;
``(bb) to freeze and
unfreeze the EBT account of the
household for transactions in
which the card number printed
on the EBT card is manually
entered, either for an in-
person transaction or an online
transaction; and
``(cc) to check the
enrollment status of the
household, including the date
on which the household is
required to apply for
recertification.
``(IV) The requirements described
in items (aa) and (bb) of subclause
(III) shall terminate 5 years after the
date on which the regulation
promulgated pursuant to that subclause
becomes final, unless the Secretary
extends that period.
``(V) A State may opt to make
ineffective the use of the card number
printed on the EBT card to complete an
online transaction, and require online
transactions to occur only in
accordance with subclause (III)(aa).
``(VI) Not later than 2 years after
the date on which the regulations
promulgated pursuant to clause (i)
become final, States shall begin
issuing chip-enabled EBT cards.
``(VII) Not later than 4 years
after the date on which the regulations
promulgated pursuant to clause (i)
become final, States may not issue new
EBT cards with magnetic stripes.
``(VIII) Not later than 5 years
after the date on which the regulations
promulgated pursuant to clause (i)
become final, States shall be required
to reissue any existing valid EBT cards
with magnetic stripes as chip-enabled
EBT cards without magnetic stripes.
``(IX) In the case of a chip-
enabled EBT card reissued pursuant to
any of subclauses (VI) through (VIII),
absent suspicion of fraud, as
applicable, a State shall--
``(aa) reissue a new chip-
enabled EBT card; and
``(bb) deactivate the
current chip-enabled EBT card
on the date that is the earlier
of--
``(AA) the date on
which the new chip-
enabled EBT card is
activated; and
``(BB) 30 days
after the date on which
the new chip-enabled
EBT card is sent to the
household.
``(iii) Sunset for requirement to use chip
technology.--Under the cybersecurity
regulations described in clause (i), all EBT
cards issued during the 5-year period following
the deadline for carrying out clause (ii)(VIII)
shall be chip-enabled, unless the Secretary
extends that period.
``(C) Prohibition on password and pin requirements
inconsistent with federal cybersecurity standards.--
Beginning 60 days after the date of enactment of this
paragraph, a State agency may not require, with respect
to a PIN for use of an EBT card or a password for
access to an online account or mobile application
managing the EBT card--
``(i) that the PIN or password be
periodically changed in circumstances that are
prohibited by the NIST PIN and password
standards; or
``(ii) that the password meet complexity
requirements that are prohibited by the NIST
PIN and password standards.
``(D) Data collection.--The Secretary shall--
``(i) collect, and publish on the website
of the Department of Agriculture, data on--
``(I) the length of time each user
interface offered by each State
pursuant to subparagraph (B)(ii)(I) was
unavailable for use, including due to
technical problems or maintenance
needs; and
``(II) cybersecurity measures
adopted for EBT cards in each State;
and
``(ii) maintain and annually update the
data collected under clause (i) to support
States in implementing any regulations
promulgated pursuant to subparagraph (B)(i).
``(E) Public report.--
``(i) In general.--Not later than 1 year
after the date of enactment of this paragraph,
and every 2 years thereafter, the Secretary
shall submit to the Committees on
Appropriations and Agriculture, Nutrition, and
Forestry of the Senate and the Committees on
Appropriations and Agriculture of the House of
Representatives, and make publicly available on
the website of the Department of Agriculture, a
report that--
``(I) identifies trends relating to
the theft of benefits, including the
frequency of theft of benefits and the
location of those thefts;
``(II) evaluates the effectiveness
of existing cybersecurity regulations
for the supplemental nutrition
assistance program, including
identifying ineffective measures and
the compliance burden borne by
individual benefit recipients;
``(III) describes the efforts of
States--
``(aa) to update
cybersecurity measures for EBT
cards; and
``(bb) to reimburse stolen
benefits; and
``(IV) examines usability issues of
EBT cards, including issues that
present barriers to households using
benefits or affect fraud prevention
goals.
``(ii) Restricted annex.--The report under
clause (i) may include a non-publicly available
annex containing classified or law enforcement-
sensitive information.''.
SEC. 5. ENSURING NO LOSS OF ACCESS TO BENEFITS DUE TO EBT CARD DAMAGE,
LOSS, OR FRAUD.
Section 7(h)(7) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)(7)) is amended--
(1) by striking ``Regulations'' and inserting the
following:
``(A) In general.--Regulations''; and
(2) by adding at the end the following:
``(B) Ensuring no loss of access to benefits due to
ebt card damage, loss, or fraud.--Not later than 180
days after the effective date of this subparagraph, the
Secretary shall promulgate regulations requiring the
following:
``(i) If an EBT card is damaged, no longer
functions properly, is stolen, or is frozen due
to fraud, the applicable State shall take the
necessary steps to ensure that the household
receives a replacement card, either by mail or
in person, as selected by the household, not
later than 3 business days after the household
submits to the State a request for a
replacement EBT card.
``(ii) A State shall not require, but shall
offer as an option, in-person collection of a
new or replacement EBT card.''.
SEC. 6. NO REPLACEMENT FEES FOR CERTAIN EBT CARDS.
Section 7(h)(8)(A) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)(8)(A)) is amended--
(1) by striking ``A State agency'' and inserting the
following:
``(i) In general.--Except as provided in
clause (ii), a State agency''; and
(2) by adding at the end the following:
``(ii) Exceptions.--Beginning 60 days after
the effective date of this clause, a State
agency may not collect a charge under clause
(i) if the replacement of the EBT card is due
to--
``(I) the EBT card malfunctioning;
``(II) suspected or reported fraud
relating to that EBT card by an
individual outside of the household to
which the EBT card belongs;
``(III) the expiration of the EBT
card; or
``(IV) required replacement of the
EBT card in compliance with regulations
promulgated pursuant to paragraph
(15)(B).''.
SEC. 7. REQUIREMENT FOR RETAILER USE OF CHIP-ENABLED PAYMENT TERMINALS
AS A CONDITION OF SNAP PARTICIPATION.
Section 9(a) of the Food and Nutrition Act of 2008 (7 U.S.C.
2018(a)) is amended--
(1) in paragraph (2)--
(A) by striking ``(2) The Secretary'' and inserting
the following:
``(2) Regulations.--The Secretary''; and
(B) by indenting the margins of subparagraphs (A)
and (B) appropriately;
(2) by indenting the margin of paragraph (3) appropriately;
and
(3) by adding at the end the following:
``(5) Chip-enabled payment terminals.--Beginning not later
than 180 days after the date on which the regulations
promulgated pursuant to section 7(h)(15)(B)(i) become final,
the Secretary shall require retail food stores and wholesale
food concerns seeking authorization or reauthorization to
accept and redeem benefits under the supplemental nutrition
assistance program to have a chip-enabled (as defined in
section 7(h)(15)(A)) payment terminal at each retail location
of the retail food store or wholesale food concern.''.
SEC. 8. REPORT.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Secretary of Agriculture shall submit to the
Committees on Appropriations and Agriculture, Nutrition, and Forestry
of the Senate and the Committees on Appropriations and Agriculture of
the House of Representatives, and make publicly available on the
website of the Department of Agriculture, a report on the security of
EBT cards (as defined in section 3 of the Food and Nutrition Act of
2008 (7 U.S.C. 2012)) issued in the Commonwealth of Puerto Rico,
including--
(1) the resistance of those EBT cards to cloning; and
(2) if appropriate, recommendations for improving the
security of the electronic benefit transfer system against EBT
card cloning-based fraud.
(b) Restricted Annex.--The report under subsection (a) may include
a non-publicly available annex containing classified or law
enforcement-sensitive information.
SEC. 9. CONFORMING AMENDMENTS.
Section 501 of division HH of the Consolidated Appropriations Act,
2023 (7 U.S.C. 2016a), is amended--
(1) in subsection (a)--
(A) by striking paragraphs (1) and (2);
(B) by redesignating paragraphs (3) through (5) as
paragraphs (1) through (3), respectively; and
(C) in paragraph (3) (as so redesignated)--
(i) in subparagraph (B), by adding ``and''
at the end;
(ii) by striking subparagraph (C); and
(iii) by redesignating subparagraph (D) as
subparagraph (C); and
(2) in subsection (b)--
(A) in paragraph (1)--
(i) in subparagraph (A)(vi), by striking
``measures'' and all that follows through
``(a)(1)'' and inserting ``measures'';
(ii) in subparagraph (B), by adding ``and''
at the end;
(iii) in subparagraph (C), by striking
``and'' at the end; and
(iv) by striking subparagraph (D); and
(B) in paragraph (3), by striking ``subsection
(a)(3)'' and inserting ``subsection (a)(1)''.
<all>