[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7658 Introduced in House (IH)]
<DOC>
119th CONGRESS
2d Session
H. R. 7658
To amend the Food and Nutrition Act of 2008 to require the promulgation
of cybersecurity and digital service regulations relating to the use of
EBT cards under the supplemental nutrition assistance program, and for
other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 24, 2026
Mr. Goldman of New York (for himself, Mr. Lawler, Mr. Smith of
Washington, and Mr. Fitzpatrick) introduced the following bill; which
was referred to the Committee on Agriculture
_______________________________________________________________________
A BILL
To amend the Food and Nutrition Act of 2008 to require the promulgation
of cybersecurity and digital service regulations relating to the use of
EBT cards under the supplemental nutrition assistance program, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Enhanced Cybersecurity for SNAP Act
of 2026''.
SEC. 2. ENHANCED CYBERSECURITY FOR EBT CARDS.
Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)) is amended by adding at the end the following:
``(15) Cybersecurity of ebt cards.--
``(A) Definitions.--In this paragraph:
``(i) Chip-enabled.--
``(I) In general.--The term `chip-
enabled', with respect to a payment
card, means a payment card that uses
industry standard secure payment
technology, as identified by the
Administrator of the Food and Nutrition
Service in consultation with the
Secretary of the Treasury and the
Director of the National Institute of
Standards and Technology, that--
``(aa) provides for secure
card-based payment; and
``(bb) is resistant to
cloning.
``(II) Chip card technology.--The
Administrator of the Food and Nutrition
Service, in consultation with the
Secretary of the Treasury and the
Accredited Standards Committee X9,
shall consider whether the secure
payment technology described in
subclause (I) should meet the industry
standards for contact and contactless
payments.
``(ii) Mobile friendly.--The term `mobile
friendly' has the meaning given the term in
section 3559(b) of title 44, United States
Code.
``(iii) NIST pin and password standards.--
The term `NIST PIN and password standards'
means the PIN and password standards described
in Special Publication 800-63B entitled
`Digital Identity Guidelines' (or a successor
document) of the National Institute of
Standards and Technology.
``(iv) PIN.--The term `PIN' has the meaning
given the term `personal identification number
(PIN)' in section 271.2 of title 7, Code of
Federal Regulations (or successor regulations).
``(B) Regulations.--
``(i) In general.--Not later than 2 years
after the date of enactment of this paragraph,
the Secretary shall promulgate, and every 5
years thereafter, the Secretary shall review
and update as necessary, cybersecurity and
digital service regulations relating to EBT
cards and mobile technologies under the
supplemental nutrition assistance program,
including, at a minimum, to ensure that
cybersecurity measures for EBT cards and mobile
technologies keep pace with security safeguards
used by the private sector and required by
Federal agencies for credit, debit, and other
payment cards and mobile technologies.
``(ii) Requirements.--The Secretary shall
ensure that the cybersecurity and digital
service regulations described in clause (i)
require the following:
``(I)(aa) Each State shall operate
the user interfaces listed on the list
of required user interfaces maintained
by the Secretary under item (dd)(AA),
in accordance with this subclause, 1 or
more user interfaces of which
households in the State may, at the
election of the applicable household,
use to manage the EBT account of the
applicable household.
``(bb)(AA) A State may operate
other user interfaces under item (aa)
in addition to the required user
interfaces on the list maintained by
the Secretary under item (dd)(AA).
``(BB) Any web-based online portal
operated by a State as a user interface
shall be mobile friendly.
``(cc) Each user interface offered
by a State under items (aa) and (bb),
as applicable, shall--
``(AA) provide information
in each language in which the
State agency is required to
make material available
pursuant to section 272.4(b) of
title 7, Code of Federal
Regulations (or successor
regulations);
``(BB) be available to
households at least 99 percent
of the time; and
``(CC) include any other
features required by the
Secretary.
``(dd)(AA) The Secretary shall
maintain a list of required user
interfaces for purposes of item (aa),
which may include a web-based online
portal and a mobile application.
``(BB) The list under subitem (AA)
shall include an application
programming interface through which at
least 1 user interface offered by a
State under item (aa) allows households
to delegate access to some or all
account features identified by the
Secretary to third-party provided
software. No fee shall be charged to
any party for the use of that
application programming interface.
``(CC) During the 10-year period
following the date on which the
regulations promulgated pursuant to
clause (i) become final, unless the
Secretary extends that period, the
Secretary shall maintain on the list
under subitem (AA) the following user
interfaces: text message, voice
telephone service, and a nondigital
user interface that does not require
the use of a phone or computer by the
household.
``(II)(aa) Each State shall provide
households on an opt-in basis--
``(AA) through each digital
user interface offered under
subclause (I), timely
electronic notice of
transactions using the EBT
account of the household; and
``(BB) through each user
interface offered under
subclause (I), access to,
including the ability to
search, historical transactions
for not less than the preceding
12 months.
``(bb) Transaction information
under subitems (AA) and (BB) of item
(aa) shall include the amount of the
transaction, the merchant for the
transaction, the city and State of the
merchant for an in-person transaction,
and the delivery address or collection
address for an online transaction.
``(cc) Each State shall offer
households the ability, through each
user interface offered under subclause
(I), to report a fraudulent transaction
to the State.
``(dd) A State shall not require a
household to respond to or acknowledge
a notice of transaction delivered
pursuant to item (aa)(AA).
``(ee) A State shall notify any
household that has reported an instance
of EBT card skimming or fraud, or is
otherwise identified as being a victim
of EBT card skimming or fraud, of any
State or Federal funds that may be
reimbursed if the household experiences
fraud again.
``(III) Each State shall provide
households issued an EBT card the
ability, through each user interface
offered under subclause (I) to check
the enrollment status of the household,
including the date on which the
household is required to apply for
recertification.
``(IV) Not later than 2 years after
the date on which the regulations
promulgated pursuant to clause (i)
become final, States shall begin
issuing chip-enabled EBT cards.
``(V) Not later than 4 years after
the date on which the regulations
promulgated pursuant to clause (i)
become final, States may not issue new
EBT cards with magnetic stripes.
``(VI) Not later than 5 years after
the date on which the regulations
promulgated pursuant to clause (i)
become final, States shall be required
to reissue any existing valid EBT cards
with magnetic stripes as chip-enabled
EBT cards without magnetic stripes.
``(VII) In the case of a chip-
enabled EBT card reissued pursuant to
any of subclauses (IV) through (VI),
absent suspicion of fraud, as
applicable, a State shall--
``(aa) reissue a new chip-
enabled EBT card; and
``(bb) deactivate the
current chip-enabled EBT card
on the date that is the earlier
of--
``(AA) the date on
which the new chip-
enabled EBT card is
activated; and
``(BB) 60 days
after the date on which
the new chip-enabled
EBT card is sent to the
household.
``(iii) Sunset for requirement to use chip
technology.--Under the cybersecurity
regulations described in clause (i), all EBT
cards, except EBT cards issued to victims of a
disaster pursuant to section 5(h) or solely for
benefits under the summer electronic benefits
transfer for children program established under
section 13A of the Richard B. Russell National
School Lunch Act (42 U.S.C. 1762), issued
during the 5-year period following the deadline
for carrying out clause (ii)(VI) shall be chip-
enabled, unless the Secretary extends that
period.
``(iv) Rule of construction.--The
cybersecurity and digital service regulations
described in clause (i) shall supersede any
regulations promulgated under paragraph (2) of
section 501(a) of division HH of the
Consolidated Appropriations Act, 2023 (7 U.S.C.
2016a(a)) (as in effect on the day before the
date of enactment of the Enhanced Cybersecurity
for SNAP Act of 2026).
``(C) Reimbursements.--Each State upgrading EBT
cards to comply with the regulations promulgated under
subparagraph (B)(i) shall receive reimbursement from
the Secretary in an amount determined by the Secretary
to cover all reasonable costs incurred by the State,
including--
``(i) the 1-time up-front costs paid by the
State to card vendors;
``(ii) the additional annual fees
associated with chip-enabled cards paid by
States to card vendors; and
``(iii) postage or other delivery-related
costs.
``(D) Prohibition on password and pin requirements
inconsistent with federal cybersecurity standards.--
Beginning 60 days after the date of enactment of this
paragraph, a State agency may not require, with respect
to a PIN for use of an EBT card or a password for
access to an online account or mobile application
managing the EBT card--
``(i) that the PIN or password be
periodically changed in circumstances that are
prohibited by the NIST PIN and password
standards; or
``(ii) that the password meet complexity
requirements that are prohibited by the NIST
PIN and password standards.
``(E) Grant program for chip-enabled ebt cards.--
``(i) Definitions.--In this subparagraph:
``(I) Administering entity.--The
term `administering entity' means an
entity awarded a grant under clause
(ii) to provide subgrants to eligible
entities.
``(II) Eligible entity.--The term
`eligible entity' means--
``(aa) an entity described
in paragraph (1) or (3) of
section 3(o) that--
``(AA) is
authorized to
participate in the
supplemental nutrition
assistance program
under section 9;
``(BB) does not
have payment terminals
that accept chip-
enabled EBT cards; and
``(CC) is located
in an area with limited
grocery access, as
determined by the
Secretary; and
``(bb) an entity described
in paragraph (2), (4), or (5)
of section 3(o) that meets the
requirements described in
subitems (AA) and (BB) of item
(aa).
``(ii) Grants.--The Secretary shall
establish a grant program to award a grant to
an administering entity to provide subgrants to
eligible entities to upgrade to chip-compatible
payment terminals that support contact and
contactless payment card technology.
``(F) Data collection.--The Secretary shall--
``(i) collect, and publish on the website
of the Department of Agriculture, data on--
``(I) the length of time each user
interface offered by each State
pursuant to subparagraph (B)(ii)(I) was
unavailable for use, including due to
technical problems or maintenance
needs; and
``(II) cybersecurity measures
adopted for EBT cards in each State;
and
``(ii) maintain and annually update the
data collected under clause (i) to support
States in implementing any regulations
promulgated pursuant to subparagraph (B)(i).
``(G) Public report.--
``(i) In general.--Not later than 1 year
after the date of enactment of this paragraph,
and every 2 years thereafter, the Secretary
shall submit to the Committees on
Appropriations and Agriculture, Nutrition, and
Forestry of the Senate and the Committees on
Appropriations and Agriculture of the House of
Representatives, and make publicly available on
the website of the Department of Agriculture, a
report that--
``(I) identifies trends relating to
the theft of benefits, including the
frequency of theft of benefits, the
locations at which EBT cards are
compromised, and the method by which
EBT cards are compromised;
``(II) evaluates the effectiveness
of existing cybersecurity regulations
for the supplemental nutrition
assistance program, including
identifying ineffective measures and
the compliance burden borne by
individual benefit recipients;
``(III) describes the efforts of
States--
``(aa) to update
cybersecurity measures for EBT
cards; and
``(bb) to reimburse stolen
benefits; and
``(IV) examines usability issues of
EBT cards, including issues that
present barriers to households using
benefits or affect fraud prevention
goals.
``(ii) Restricted annex.--The report under
clause (i) may include a nonpublicly available
annex containing classified or law enforcement-
sensitive information and any identifying
merchant information.''.
SEC. 3. ONLINE TRANSACTION SECURITY.
Section 7(h) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)) (as amended by section 2) is amended by adding at the end the
following:
``(16) Online transaction security.--
``(A) In general.--In promulgating and updating, as
necessary, the regulations under paragraph (15)(B)(i),
the Secretary shall, with respect to online
transactions using EBT cards (or any successor
financial product used for a substantially similar
purpose)--
``(i) require security measures that--
``(I) are effective in detecting
and preventing theft of benefits
through online transactions, including
the theft of data from online merchants
that may compromise the ability of a
household to use benefits in
transactions with other merchants,
either online or in-person; and
``(II) prevent sensitive data from
being stolen during online transactions
and securely manage sensitive data
generated by online transactions,
including through cybersecurity
enhancements for online retailers;
``(ii) establish standard reporting methods
for States to collect and share data with the
Secretary on the scope of benefits and data
being stolen through online transactions; and
``(iii) in carrying out clauses (i) and
(ii), take into consideration the feasibility
of cost, availability, and implementation for
States.
``(B) Consultation.--In carrying out subparagraph
(A), the Secretary shall consult with the Director of
the Administration for Children and Families, the
Attorney General of the United States, State agencies,
retail food stores, and EBT contractors--
``(i) on the measures, methods, and
considerations under that subparagraph; and
``(ii) to determine--
``(I) how benefits are being stolen
and sensitive data is being compromised
through online transactions; and
``(II) how those stolen benefits
and data are being used.
``(C) Report.--
``(i) In general.--Not later than 3 years
after the date of enactment of this paragraph,
and every 2 years thereafter, the Secretary
shall submit to the Committee on Agriculture,
Nutrition, and Forestry of the Senate and the
Committee on Agriculture of the House of
Representatives a report that includes--
``(I) to the maximum extent
practicable, information on the
frequency of theft of benefits, the
number of reported thefts from online
transactions, the amount of benefits
stolen through online transactions, and
the online retailers most commonly
compromised;
``(II) a description of the
measures and methods developed, and
considerations taken, under
subparagraph (A);
``(III) the determinations made
under subparagraph (B)(ii); and
``(IV) recommendations on how to
consistently detect, track, report, and
prevent theft of benefits, including
the theft of data described in
subparagraph (A)(i)(I).
``(ii) Confidential annex.--The report
under clause (i) may include a nonpublicly
available confidential annex containing any
identifying merchant information.''.
SEC. 4. ENSURING NO LOSS OF ACCESS TO BENEFITS DUE TO EBT CARD DAMAGE,
LOSS, OR FRAUD.
Section 7(h)(7) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)(7)) is amended--
(1) by striking ``Regulations'' and inserting the
following:
``(A) In general.--Regulations''; and
(2) by adding at the end the following:
``(B) Ensuring no loss of access to benefits due to
ebt card damage, loss, or fraud.--Not later than 180
days after the date of enactment of the Enhanced
Cybersecurity for SNAP Act of 2026, the Secretary shall
promulgate regulations requiring the following:
``(i) If an EBT card is damaged, no longer
functions properly, is stolen, or is frozen due
to fraud, the applicable State shall take the
necessary steps to ensure that the household
receives a replacement card, either by mail or
in person, as selected by the household, not
later than 3 business days after the household
submits to the State a request for a
replacement EBT card.
``(ii) A State shall not require, but shall
offer as an option, in-person collection of a
new or replacement EBT card.''.
SEC. 5. NO REPLACEMENT FEES FOR CERTAIN EBT CARDS.
Section 7(h)(8)(A) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)(8)(A)) is amended--
(1) by striking ``A State agency'' and inserting the
following:
``(i) In general.--Except as provided in
clause (ii), a State agency''; and
(2) by adding at the end the following:
``(ii) Exceptions.--Beginning 60 days after
the date of enactment of the Enhanced
Cybersecurity for SNAP Act of 2026, a State
agency may not collect a charge under clause
(i) if the replacement of the EBT card is due
to--
``(I) the EBT card malfunctioning;
``(II) suspected or reported fraud
relating to that EBT card by an
individual outside of the household to
which the EBT card belongs;
``(III) the expiration of the EBT
card; or
``(IV) required replacement of the
EBT card in compliance with regulations
promulgated pursuant to paragraph
(15)(B).''.
SEC. 6. REQUIREMENT FOR RETAILER USE OF CHIP-ENABLED PAYMENT TERMINALS
AS A CONDITION OF SNAP PARTICIPATION.
Section 9(a) of the Food and Nutrition Act of 2008 (7 U.S.C.
2018(a)) is amended--
(1) in paragraph (2)--
(A) by striking ``(2) The Secretary'' and inserting
the following:
``(2) Regulations.--The Secretary''; and
(B) by indenting the margins of subparagraphs (A)
and (B) appropriately;
(2) by indenting the margin of paragraph (3) appropriately;
and
(3) by adding at the end the following:
``(5) Chip-enabled payment terminals.--Beginning not later
than 180 days after the date on which the regulations
promulgated pursuant to section 7(h)(15)(B)(i) become final,
the Secretary shall require retail food stores and wholesale
food concerns seeking authorization or reauthorization to
accept and redeem benefits under the supplemental nutrition
assistance program to have a chip-enabled (as defined in
section 7(h)(15)(A)) payment terminal at each retail location
of the retail food store or wholesale food concern.''.
SEC. 7. REPORT ON EBT CARDS ISSUED IN PUERTO RICO.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Secretary of Agriculture shall submit to the
Committees on Appropriations and Agriculture, Nutrition, and Forestry
of the Senate and the Committees on Appropriations and Agriculture of
the House of Representatives, and make publicly available on the
website of the Department of Agriculture, a report on the security of
EBT cards (as defined in section 3 of the Food and Nutrition Act of
2008 (7 U.S.C. 2012)) issued in the Commonwealth of Puerto Rico,
including--
(1) the resistance of those EBT cards to cloning; and
(2) if appropriate, recommendations for improving the
security of the electronic benefit transfer system against EBT
card cloning-based fraud.
(b) Restricted Annex.--The report under subsection (a) may include
a nonpublicly available annex containing classified or law enforcement-
sensitive information.
SEC. 8. CONFORMING AMENDMENTS.
Section 501 of division HH of the Consolidated Appropriations Act,
2023 (7 U.S.C. 2016a), is amended--
(1) in subsection (a)--
(A) by striking paragraphs (1) and (2);
(B) by redesignating paragraphs (3) through (5) as
paragraphs (1) through (3), respectively; and
(C) in paragraph (3) (as so redesignated)--
(i) in subparagraph (B), by adding ``and''
at the end;
(ii) by striking subparagraph (C); and
(iii) by redesignating subparagraph (D) as
subparagraph (C); and
(2) in subsection (b)--
(A) in paragraph (1)--
(i) in subparagraph (A)(vi), by striking
``measures'' and all that follows through
``(a)(1)'' and inserting ``measures'';
(ii) in subparagraph (B), by adding ``and''
at the end;
(iii) in subparagraph (C), by striking
``and'' at the end; and
(iv) by striking subparagraph (D); and
(B) in paragraph (3), by striking ``subsection
(a)(3)'' and inserting ``subsection (a)(1)''.
<all>