This bill amends the Food and Nutrition Act of 2008 to create a binding federal framework for the cybersecurity and digital operation of Electronic Benefit Transfer (EBT) systems. It directs USDA’s Food and Nutrition Service (FNS) to promulgate cybersecurity and digital-service regulations for SNAP EBT cards and associated mobile and web interfaces, requires States to transition to chip-enabled cards, mandates retailer terminal upgrades as a condition of SNAP participation, and establishes reimbursement and grant mechanisms to cover upgrade costs.
The statute also standardizes customer-facing services (multilingual, mobile-friendly portals, transaction notifications, ability to report fraud and view 12 months of history), prohibits state PIN/password rules that conflict with NIST guidance, requires public reporting on theft trends and EBT uptime, and creates a targeted grant program to help retailers in low-access areas upgrade payment terminals. For state agencies, card vendors, retailers, and technology providers, the bill replaces piecemeal guidance with prescriptive, federally coordinated requirements and timelines that reshape how benefits are delivered and secured.
At a Glance
What It Does
Directs the Secretary of Agriculture to issue cybersecurity and digital-service regulations for SNAP EBT systems; requires States to provide specified user interfaces and to migrate to chip-enabled EBT cards; conditions retailer SNAP participation on having chip-enabled terminals; and creates federal reimbursement, grants, data collection, and reporting obligations.
Who It Affects
State SNAP agencies, card vendors, EBT contractors, retail food stores and wholesale food concerns participating in SNAP, third-party fintechs that would use the mandated API, and SNAP households—especially those with limited digital access.
Why It Matters
The bill moves SNAP EBT into payment-industry security norms (chip cards, NIST-aligned authentication, APIs), imposes concrete deadlines and operational requirements, reallocates upgrade costs through federal reimbursements and grants, and centralizes data collection and reporting to inform enforcement and future rulemaking.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill adds two new, substantive programmatic paragraphs to the statute governing SNAP EBT security and operations. It begins by giving FNS explicit rulemaking authority and a 2-year deadline to write regulations, then requires periodic reviews.
Definitions in the text direct FNS to align the law with recognized industry and federal standards: a ‘chip-enabled’ card must use industry-standard secure payment technology and resist cloning; ‘mobile friendly’ references the federal definition; and NIST SP 800-63B governs PIN and password policies.
On the consumer-facing side, each State must operate at least one of the user interfaces listed by FNS (web portal, mobile app, SMS, voice, and a nondigital channel). Web portals must be mobile friendly, available in required languages, and meet a 99% availability target; FNS will maintain the list and also require an API that lets households delegate account access to third-party software without fees.
States must offer opt-in electronic transaction notifications, searchable 12-month transaction histories, the ability to report fraud through each interface, and a way for households to check recertification status.The bill lays out a phased chip migration: once FNS’s regulations are final, States must begin issuing chip-enabled EBT cards within 2 years; new magnetic-stripe cards may not be issued after 4 years; and all existing magnetic-stripe cards must be reissued as chip-enabled within 5 years. When reissuing, States must send a new chip card and deactivate the prior card when the new card is activated or 60 days after mail-out.
To reduce state budget barriers, FNS must reimburse States for reasonable costs associated with the upgrade (one-time vendor costs, additional annual chip-card fees, and delivery/postage).The bill also constrains authentication practices: 60 days after enactment, States cannot force periodic PIN or password changes or complexity rules that NIST SP 800-63B says are counterproductive. For retailers, FNS is required to make chip-enabled payment terminals a condition of SNAP authorization or reauthorization at each retail location, and the bill creates a grant program that funds terminal upgrades for SNAP-authorized retailers in areas with limited grocery access.
Finally, FNS must collect and publish data on user-interface uptime and state cybersecurity measures, produce recurring reports on theft trends (with a restricted annex option for law enforcement-sensitive merchant information), and deliver a focused report on EBT cards issued in Puerto Rico.
The Five Things You Need to Know
The Secretary must publish final cybersecurity and digital-service regulations within 2 years after enactment and review them every 5 years.
States must begin issuing chip-enabled EBT cards within 2 years after those regulations are final, stop issuing new magnetic-stripe cards after 4 years, and reissue all existing magnetic-stripe cards as chip-enabled within 5 years.
FNS must reimburse States for ‘reasonable’ upgrade costs, explicitly including one-time vendor fees, additional annual chip-card fees, and postage or delivery-related expenses.
Retail food stores and wholesale food concerns must have a chip-enabled payment terminal at every retail location as a condition of SNAP authorization or reauthorization beginning 180 days after the FNS regulations are final.
Beginning 60 days after enactment, States may not require PIN or password practices that conflict with NIST SP 800–63B (for example, forced periodic changes or banned complexity requirements).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions aligned with industry and federal standards
This subsection defines key terms the regulations will use: ‘chip-enabled’ ties EBT cards to industry-standard secure payment technology and requires resistance to cloning; FNS must consult Treasury and NIST (and Accredited Standards Committee X9) on whether to require contact and contactless standards. The provision also imports the federal ‘mobile friendly’ meaning and anchors PIN/password treatment to NIST SP 800–63B. Practically, these definitions limit regulatory wiggle room and force FNS rulemaking to follow established payment and federal identity practices.
Regulatory mandate and standardized user interfaces
FNS must promulgate cybersecurity and digital-service regulations within two years and periodically update them; the text prescribes a set of consumer-facing controls: multilingual, mobile-friendly interfaces, 99% availability, opt-in transaction alerts, searchable 12-month histories, fraud-reporting functionality, and enrollment/recertification visibility. FNS will publish a list of required interfaces and must include a no-fee application programming interface (API) so third parties can integrate—this creates a government-directed interoperability baseline for state EBT systems and opens the program to third-party account-management services.
Chip migration timeline and card-replacement mechanics
The bill sets a concrete migration schedule: States begin issuing chip-enabled cards two years after final regs; new magnetic-stripe cards are barred after year four; and all existing magnetic cards must be reissued as chip-enabled by year five. When States reissue, they must send the new card, deactivate the prior card once the new card is activated or 60 days after mailing, and, absent fraud suspicion, the State must reissue (rather than temporarily unlock) the new chip card. These mechanics govern operational workflows between States, vendors, and recipients and create predictable windows for procurement and outreach.
Reimbursements to States and targeted grants for retailers
FNS is required to reimburse States for reasonable costs tied to the chip migration, explicitly listing one-time vendor costs, annual chip fees, and postage. Separately the bill establishes a grant program administered to subgrant SNAP-authorized retailers (and certain wholesalers) located in areas with limited grocery access to upgrade to chip-compatible contact and contactless terminals. Eligibility is limited to stores that currently lack chip-capable terminals; the grants aim to prevent a gap where upgraded EBT cards become unusable at small or remote retailers.
Online transaction security and merchant data reporting
FNS must use its rulemaking to impose security measures for online EBT transactions to detect and prevent benefit theft and to limit merchant-side data compromises. The agency must standardize reporting methods so States can supply consistent data on online thefts, consult with federal law enforcement and stakeholders to understand attack vectors, and produce recurring reports (with a confidential annex option) identifying affected retailers and frequency of incidents. This raises the statutory expectation that online merchant cybersecurity will be part of the EBT ecosystem going forward.
Consumer protections, retailer conditions, Puerto Rico review, and cleanup
The bill requires States to replace damaged, stolen, frozen, or malfunctioning cards within three business days (by mail or in-person at the household's option), bars replacement charges for malfunction, fraud by outsiders, expiration, or regulator-required replacement, and makes chip-enabled terminals a condition of SNAP participation after the FNS rules are final. It also directs a focused report on EBT cards issued in Puerto Rico and makes conforming edits to prior appropriations-law provisions so the new regulations supersede earlier guidance. These provisions tighten user protections while expanding USDA’s oversight role.
This bill is one of many.
Codify tracks hundreds of bills on Social Services across all five countries.
Explore Social Services in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- SNAP households: gain stronger fraud protections (chip cards), transaction visibility (opt-in alerts and 12-month histories), faster replacement timelines, and multilingual, mobile-friendly interfaces that can reduce disruptions to benefit access.
- States (administrative side): receive federal reimbursement for upgrade costs and clearer federal standards that reduce patchwork compliance questions and provide funding pathways for terminal upgrades.
- Residents in low-access grocery areas and small authorized retailers: the grant program targets terminal upgrades in those communities, helping keep local stores able to accept SNAP after the chip migration.
- Third-party account-service providers and fintechs: the mandated no-fee API creates a predictable integration point to offer delegated account tools and notification services to SNAP households.
- Law enforcement and program integrity teams: standardized data collection and recurring reports improve visibility into theft trends and where compromises occur, supporting investigations and targeted interventions.
Who Bears the Cost
- Retail food stores and wholesale food concerns: must upgrade to chip-enabled terminals at each retail location to remain SNAP-authorized; grants are available but may not cover all stores or costs in time.
- State SNAP agencies and card vendors: must manage a multi-year card reissue program, vendor procurement, customer outreach, and system updates; although reimbursed, states still face operational coordination and transitional burdens.
- USDA/FNS: must staff and run the rulemaking, reimbursement review, grant program, data collection and public reporting obligations—an administrative expansion with enforcement responsibilities.
- Small community retailers without grant eligibility or who miss grant cycles: may face out-of-pocket expenses, lost sales, or risk to SNAP participation if upgrades are delayed.
- SNAP households with limited technology or literacy: while the bill requires nondigital alternatives, households that rely on older terminals, lack mobile access, or are uncomfortable with new card technology may face short-term friction during rollout.
Key Issues
The Core Tension
The bill’s central dilemma is straightforward: tighten EBT security to reduce fraud and align SNAP with modern payment standards, or preserve maximum, low-friction access for a population with limited digital resources. Strong technical rules (chip migration, APIs, NIST controls) lower fraud risk but raise costs and complexity for States, small retailers, and technology-underserved households; lax rules preserve access but leave program integrity vulnerabilities. There is no policy that fully achieves both ends without careful, resource-intensive implementation and clear allocation of costs and responsibilities.
The bill advances clear security goals but leaves several practical implementation questions unresolved. The timelines for chip issuance and terminal upgrades are explicit, but the statute delegates much of the technical detail to FNS rulemaking and to interagency consultation; that means outcomes will depend on how prescriptive the forthcoming regulations are, how FNS measures ‘reasonable’ reimbursement costs, and how it defines operational metrics like the 99% availability requirement.
Supply-chain bottlenecks for chip cards or terminal hardware, contracting cycles for state EBT vendors, and the pace of small-retailer upgrades could all delay the intended protections, even if federal funds are available.
The requirement for a no-fee API and for third-party delegation promotes competition and consumer choice, but it also creates new privacy and liability questions. If households delegate account access to third-party apps, who bears responsibility for fraud stemming from third-party compromise?
The bill requires data collection and creates confidential annexes for sensitive merchant information, but it does not clarify data-retention limits, breach-notification duties, or lines of liability among States, vendors, retailers, and app developers. Similarly, prohibiting certain PIN/password practices aligns SNAP with NIST guidance, but some States still operate legacy authentication schemes; forcing immediate alignment could create short-term friction for systems that require reengineering.
Finally, the text expands FNS oversight without enumerating enforcement tools for noncompliant retailers or States beyond participation conditions and reimbursement channels. That gap risks uneven compliance: larger vendors may comply quickly while small retailers or under-resourced State agencies lag.
The bill also creates a tension between public reporting (transparency) and the operational need to protect law-enforcement-sensitive merchant data—FNS must balance public accountability against the risk that overly detailed public disclosures could expose merchants to reputational harm or escalate fraud.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.