Sec. 2. Enhanced cybersecurity for EBT cards
1,708 words·~8 min read·
/bill/119/hr/7658/ih/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 7(h) of the Food and Nutrition Act of 2008 ( 7 U.S.C. 2016(h) ) is amended by adding at the end the following: In this paragraph: The term chip-enabled , with respect to a payment card, means a payment card that uses industry standard secure payment technology, as identified by the Administrator of the Food and Nutrition Service in consultation with the Secretary of the Treasury and the Director of the National Institute of Standards and Technology, that— provides for secure card-based payment; and is resistant to cloning.
The Administrator of the Food and Nutrition Service, in consultation with the Secretary of the Treasury and the Accredited Standards Committee X9, shall consider whether the secure payment technology described in subclause
(I)should meet the industry standards for contact and contactless payments. The term ‘mobile friendly’ has the meaning given the term in section 3559(b) of title 44, United States Code. The term NIST PIN and password standards means the PIN and password standards described in Special Publication 800–63B entitled Digital Identity Guidelines (or a successor document) of the National Institute of Standards and Technology. The term PIN has the meaning given the term personal identification number
(PIN)in section 271.2 of title 7, Code of Federal Regulations (or successor regulations). Not later than 2 years after the date of enactment of this paragraph, the Secretary shall promulgate, and every 5 years thereafter, the Secretary shall review and update as necessary, cybersecurity and digital service regulations relating to EBT cards and mobile technologies under the supplemental nutrition assistance program, including, at a minimum, to ensure that cybersecurity measures for EBT cards and mobile technologies keep pace with security safeguards used by the private sector and required by Federal agencies for credit, debit, and other payment cards and mobile technologies. The Secretary shall ensure that the cybersecurity and digital service regulations described in clause
(i)require the following: Each State shall operate the user interfaces listed on the list of required user interfaces maintained by the Secretary under item (dd)(AA), in accordance with this subclause, 1 or more user interfaces of which households in the State may, at the election of the applicable household, use to manage the EBT account of the applicable household. A State may operate other user interfaces under item
(aa)in addition to the required user interfaces on the list maintained by the Secretary under item (dd)(AA). Any web-based online portal operated by a State as a user interface shall be mobile friendly. Each user interface offered by a State under items
(aa)and (bb), as applicable, shall— provide information in each language in which the State agency is required to make material available pursuant to section 272.4(b) of title 7, Code of Federal Regulations (or successor regulations); be available to households at least 99 percent of the time; and include any other features required by the Secretary. The Secretary shall maintain a list of required user interfaces for purposes of item (aa), which may include a web-based online portal and a mobile application. The list under subitem
(AA)shall include an application programming interface through which at least 1 user interface offered by a State under item
(aa)allows households to delegate access to some or all account features identified by the Secretary to third-party provided software. No fee shall be charged to any party for the use of that application programming interface. During the 10-year period following the date on which the regulations promulgated pursuant to clause
(i)become final, unless the Secretary extends that period, the Secretary shall maintain on the list under subitem
(AA)the following user interfaces: text message, voice telephone service, and a nondigital user interface that does not require the use of a phone or computer by the household. Each State shall provide households on an opt-in basis— through each digital user interface offered under subclause (I), timely electronic notice of transactions using the EBT account of the household; and through each user interface offered under subclause (I), access to, including the ability to search, historical transactions for not less than the preceding 12 months. Transaction information under subitems
(AA)and
(BB)of item
(aa)shall include the amount of the transaction, the merchant for the transaction, the city and State of the merchant for an in-person transaction, and the delivery address or collection address for an online transaction. Each State shall offer households the ability, through each user interface offered under subclause (I), to report a fraudulent transaction to the State. A State shall not require a household to respond to or acknowledge a notice of transaction delivered pursuant to item (aa)(AA). A State shall notify any household that has reported an instance of EBT card skimming or fraud, or is otherwise identified as being a victim of EBT card skimming or fraud, of any State or Federal funds that may be reimbursed if the household experiences fraud again. Each State shall provide households issued an EBT card the ability, through each user interface offered under subclause
(I)to check the enrollment status of the household, including the date on which the household is required to apply for recertification. Not later than 2 years after the date on which the regulations promulgated pursuant to clause
(i)become final, States shall begin issuing chip-enabled EBT cards. Not later than 4 years after the date on which the regulations promulgated pursuant to clause
(i)become final, States may not issue new EBT cards with magnetic stripes. Not later than 5 years after the date on which the regulations promulgated pursuant to clause
(i)become final, States shall be required to reissue any existing valid EBT cards with magnetic stripes as chip-enabled EBT cards without magnetic stripes. In the case of a chip-enabled EBT card reissued pursuant to any of subclauses
(IV)through (VI), absent suspicion of fraud, as applicable, a State shall— reissue a new chip-enabled EBT card; and deactivate the current chip-enabled EBT card on the date that is the earlier of— the date on which the new chip-enabled EBT card is activated; and 60 days after the date on which the new chip-enabled EBT card is sent to the household. Under the cybersecurity regulations described in clause (i), all EBT cards, except EBT cards issued to victims of a disaster pursuant to section 5(h) or solely for benefits under the summer electronic benefits transfer for children program established under section 13A of the Richard B. Russell National School Lunch Act ( 42 U.S.C. 1762 ), issued during the 5-year period following the deadline for carrying out clause (ii)(VI) shall be chip-enabled, unless the Secretary extends that period. The cybersecurity and digital service regulations described in clause
(i)shall supersede any regulations promulgated under paragraph
(2)of section 501(a) of division HH of the Consolidated Appropriations Act, 2023 ( 7 U.S.C. 2016a(a) ) (as in effect on the day before the date of enactment of the Enhanced Cybersecurity for SNAP Act of 2026 ). Each State upgrading EBT cards to comply with the regulations promulgated under subparagraph (B)(i) shall receive reimbursement from the Secretary in an amount determined by the Secretary to cover all reasonable costs incurred by the State, including— the 1-time up-front costs paid by the State to card vendors; the additional annual fees associated with chip-enabled cards paid by States to card vendors; and postage or other delivery-related costs. Beginning 60 days after the date of enactment of this paragraph, a State agency may not require, with respect to a PIN for use of an EBT card or a password for access to an online account or mobile application managing the EBT card— that the PIN or password be periodically changed in circumstances that are prohibited by the NIST PIN and password standards; or that the password meet complexity requirements that are prohibited by the NIST PIN and password standards. In this subparagraph: The term administering entity means an entity awarded a grant under clause
(ii)to provide subgrants to eligible entities. The term eligible entity means— an entity described in paragraph
(1)or
(3)of section 3(o) that— is authorized to participate in the supplemental nutrition assistance program under section 9; does not have payment terminals that accept chip-enabled EBT cards; and is located in an area with limited grocery access, as determined by the Secretary; and an entity described in paragraph (2), (4), or
(5)of section 3(o) that meets the requirements described in subitems
(AA)and
(BB)of item (aa). The Secretary shall establish a grant program to award a grant to an administering entity to provide subgrants to eligible entities to upgrade to chip-compatible payment terminals that support contact and contactless payment card technology. The Secretary shall— collect, and publish on the website of the Department of Agriculture, data on— the length of time each user interface offered by each State pursuant to subparagraph (B)(ii)(I) was unavailable for use, including due to technical problems or maintenance needs; and cybersecurity measures adopted for EBT cards in each State; and maintain and annually update the data collected under clause
(i)to support States in implementing any regulations promulgated pursuant to subparagraph (B)(i). Not later than 1 year after the date of enactment of this paragraph, and every 2 years thereafter, the Secretary shall submit to the Committees on Appropriations and Agriculture, Nutrition, and Forestry of the Senate and the Committees on Appropriations and Agriculture of the House of Representatives, and make publicly available on the website of the Department of Agriculture, a report that— identifies trends relating to the theft of benefits, including the frequency of theft of benefits, the locations at which EBT cards are compromised, and the method by which EBT cards are compromised; evaluates the effectiveness of existing cybersecurity regulations for the supplemental nutrition assistance program, including identifying ineffective measures and the compliance burden borne by individual benefit recipients; describes the efforts of States— to update cybersecurity measures for EBT cards; and to reimburse stolen benefits; and examines usability issues of EBT cards, including issues that present barriers to households using benefits or affect fraud prevention goals. The report under clause
(i)may include a nonpublicly available annex containing classified or law enforcement-sensitive information and any identifying merchant information. .
Connectionstraces to 3
Citation graph
cites case law
Cites 3Cited by 0 across 0 sources