This bill amends the Food and Nutrition Act of 2008 to force a multi-year modernization of electronic benefit transfer (EBT) systems used by SNAP. It requires the Department of Agriculture to promulgate cybersecurity and digital service regulations, directs States to phase in chip-enabled (EMV-like) cards, sets user-interface and notification minimums, and creates reimbursement and grant mechanisms to cover transition costs.
The measure couples technical mandates with data collection and reporting: States must offer secure, mobile-friendly user interfaces, provide opt-in transaction alerts and 12-month histories, and begin issuing chip-enabled cards on a statutory timetable. The bill also requires stronger protections for online EBT transactions, prohibits State password/PIN practices that conflict with NIST guidance, and conditions store participation on having chip-capable terminals — all while directing USDA to reimburse State upgrade costs and to run a grant program for terminal upgrades in low-access areas.
At a Glance
What It Does
The bill orders USDA to issue cybersecurity and digital service regulations within two years and to review them every five years; it sets explicit deadlines for States to issue chip-enabled EBT cards and to stop issuing magnetic-stripe cards. It also mandates merchant terminal upgrades as a condition of SNAP authorization, requires APIs for third-party access, and establishes reimbursement and grant funding to cover State and retailer upgrades.
Who It Affects
State SNAP agencies, EBT card vendors, retail food stores and wholesale food concerns seeking SNAP authorization, third-party software developers that interact with EBT accounts, and SNAP households (particularly those in areas with limited grocery access). USDA gains new operational and reporting responsibilities.
Why It Matters
The bill shifts the technical baseline for SNAP away from legacy magnetic-stripe systems toward modern payment protections and formalizes expectations for digital interfaces and incident reporting. For compliance teams and procurement officers, it creates near-term deadlines, reimbursement rules, and grant opportunities that change capital-planning and vendor-selection choices.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill inserts a new, detailed cybersecurity subsection into the SNAP statute. It begins by defining key terms — notably a statutory definition of “chip-enabled” payment cards that aligns with industry secure-payment technology and resists cloning, and cross-references NIST identity guidance for PINs and passwords.
USDA must consult Treasury and NIST when identifying acceptable chip technologies and consider industry standards for contact and contactless payments.
USDA has two years to write regulations and must review them at least every five years. Those regulations must set minimum rules for State-operated user interfaces (web portals, mobile apps, text/voice/nondigital options) and require that any State web portal be mobile-friendly, multilingual consistent with existing Federal language-access rules, and available at least 99% of the time.
The Secretary must maintain a list of required user interfaces and include an API that lets households delegate account access to third-party software at no fee.The bill specifies a clear chip migration timeline: States must begin issuing chip-enabled cards within two years after final regulations; four years after final regs they may not issue new magnetic-stripe cards; and five years after final regs they must reissue existing magnetic-stripe cards as chip-enabled cards. There is a 10-year requirement to retain basic nondigital and low-tech interfaces on the Secretary’s list unless extended.
USDA must reimburse States for reasonable one-time and ongoing costs of upgrading to chip-enabled cards and establish a grant program to fund chip-capable payment terminal upgrades for eligible retailers located in areas with limited grocery access.On online security, USDA must require and develop measures to detect and prevent benefit theft and the compromise of merchant data that could propagate fraud. The agency must set standard reporting formats for States to share incident and theft data, consult with law enforcement and stakeholders, and produce biennial reports (with a confidential annex option) identifying compromised retailers and trends.
The bill also prohibits States from imposing PIN/password rotation or complexity rules that conflict with NIST SP 800-63B, and it requires States to provide opt-in electronic transaction notices, searchable 12-month histories, and a 3-business-day replacement timeline for damaged, lost, frozen, or stolen cards, with in-person pickup optional. Finally, the measure requires USDA reports on EBT card cloning risks in Puerto Rico and makes several conforming edits to prior appropriations language.
The Five Things You Need to Know
USDA must promulgate cybersecurity and digital service regulations within 2 years and review them at least every 5 years.
States must begin issuing chip-enabled EBT cards within 2 years after final regulations; no new magnetic-stripe cards may be issued after 4 years; all existing mag-stripe cards must be reissued as chip-enabled within 5 years.
The Secretary must maintain a list of required user interfaces (including web portal and mobile app), require a free API for third-party delegation, and keep text, voice, and nondigital interfaces on that list for at least 10 years.
USDA will reimburse States for reasonable costs of upgrading to chip-enabled cards (one-time vendor costs, additional annual fees, and delivery costs) and create a grant program to upgrade retailer terminals in areas with limited grocery access.
States may not require PIN/password practices that conflict with NIST SP 800‑63B (e.g.
forced periodic changes or prohibited complexity rules), and must provide a replacement EBT card to households within 3 business days of request.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
New cybersecurity subsection and definitions
This addition creates paragraph (15) in 7(h) and supplies statutory definitions for 'chip-enabled', 'mobile friendly', 'NIST PIN and password standards', and 'PIN'. It assigns USDA the duty — in consultation with Treasury, NIST, and industry standards bodies — to identify acceptable chip technologies and to ensure those technologies resist cloning. Practically, this forces future rulemaking to reference recognized technical standards rather than ad hoc criteria.
Two-year deadline for regulations; five-year review cycle
USDA must issue final cybersecurity and digital service regulations within two years of enactment and then review/update them at least every five years. That creates binding schedules for the agency’s rulemaking calendar and a statutory expectation of periodic modernization, which affects procurement cycles and vendor contracts tied to regulatory triggers.
User-interface minimums, API access, uptime, and chip-card timelines
The rules must require States to operate one or more user interfaces from a Secretary-maintained list (web portal, mobile app, text, voice, and nondigital options), make web portals mobile-friendly, provide multilingual support, and meet a 99% availability target. The Secretary must list required interfaces and include a free API so households can delegate access to third-party software. The provision sets the phased chip migration: begin issuing chip cards within 2 years after final rules, stop issuing new magnetic-stripe cards after 4 years, and reissue existing magnetic-stripe cards within 5 years. There is also a temporary 10-year floor for retaining low-tech interfaces on the Secretary’s list.
Federal reimbursement to States and grants for retailer terminals
USDA must reimburse States for reasonable costs of upgrading cards, explicitly including one-time vendor costs, additional annual chip-card fees, and delivery/postage. Separately, USDA will award grants to administering entities that provide subgrants to eligible retailers (including certain authorized community partners and stores in limited-access areas) to buy chip-compatible contact and contactless terminals. The eligibility language targets vendors lacking chip-capable terminals and prioritizes locations with constrained grocery access.
Publicly available EBT availability, cybersecurity data, and biennial reports
USDA must collect and publish data on user-interface outages and State cybersecurity measures, update those datasets annually, and produce a public report within one year and then every two years that analyzes theft trends, the effectiveness of regulations, State reimbursement practices, and usability barriers — with an option for a restricted annex containing classified or law-enforcement-sensitive details.
Online transaction security standards and stakeholder consultation
This section directs USDA to develop standards to detect and prevent theft through online transactions, to require secure handling of merchant-generated data, and to create standard reporting for online-transaction theft. USDA must consult with HHS/ACF, DOJ, State agencies, retailers, and EBT contractors to identify how online compromises occur and how stolen credentials are used, and produce a biennial report (with confidential annex) cataloging implicated retailers and recommending mitigation strategies.
Card replacement timelines and limits on replacement fees
USDA must require States to replace damaged, frozen, stolen, or malfunctioning EBT cards within three business days of a household request, with in-person pickup optional. The law prevents States from charging replacement fees when the card fails, is subject to suspected external fraud, expires, or must be replaced to comply with the new chip requirements; this alters State fee policies and may affect administrative recovery processes.
Retailer terminal requirement for SNAP participation
Beginning 180 days after the final cybersecurity regulations, USDA must require retail food stores and wholesale food concerns seeking authorization or reauthorization to accept SNAP benefits to have a chip-enabled terminal at every retail location. This conditions program participation on merchants adopting chip-capable point-of-sale hardware and ties SNAP vendor compliance to equipment standards.
Puerto Rico EBT security review
USDA must issue a one-year report assessing the susceptibility of EBT cards in Puerto Rico to cloning and recommend system improvements; the report may include a nonpublic annex for sensitive information. This provision responds to geographic-specific fraud concerns and directs focused technical review and recommendations.
This bill is one of many.
Codify tracks hundreds of bills on Social Services across all five countries.
Explore Social Services in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- SNAP households prone to card cloning or online fraud — will gain chip-enabled cards, opt-in transaction alerts, searchable 12-month histories, and a guaranteed 3-business-day replacement process that reduces benefit disruption.
- States that upgrade their systems — receive reimbursement for one-time and recurring upgrade costs, reducing the fiscal barrier to migrating away from magnetic-stripe technology and enabling modernization without full up-front budget hits.
- Eligible small retailers and food access points in limited-grocery areas — can receive subgrants to buy chip-compatible terminals, making them compliant with SNAP vendor rules and improving their ability to accept electronic payments.
- Third-party software developers — benefit from a required, free API that enables household-authorized account delegation and innovation in account-management tools.
- USDA and federal law enforcement — gain standardized incident data and recurring reports (including restricted annexes) to identify trends and target enforcement or technical assistance more efficiently.
Who Bears the Cost
- Retail food stores and wholesale food concerns — must deploy chip-enabled terminals at every retail location to gain or maintain SNAP authorization, entailing capital costs and potential transaction-fee changes if not covered by grants.
- State SNAP agencies — face operational and project-management costs to deploy new user interfaces, reissue cards, maintain 99% uptime, and integrate APIs; although reimbursed for card costs, upgrading legacy systems imposes administrative burdens and timing risks.
- EBT card vendors and payment processors — must supply chip-enabled card products and potentially support contactless/contact-capable terminals, shifting vendor requirements and contract terms.
- USDA — assumes rulemaking, reimbursement administration, grant program management, data collection, and reporting responsibilities, which require staff and resources to implement effectively.
- Taxpayers/federal budget — reimbursements and grant funding increase federal outlays to support State transitions and retailer upgrades, creating programmatic costs for Congress to appropriate.
Key Issues
The Core Tension
The central dilemma is trade-off between strengthening technical defenses (chip cards, merchant terminal mandates, stronger online protections) and preserving equitable, low-friction access for SNAP households and small retailers: stricter technology reduces cloning and certain fraud vectors but raises cost, operational complexity, and potential access barriers that the statute mitigates only partially through reimbursement, grants, and preserved low-tech interfaces.
The bill balances concrete technical mandates with funding and reporting, but it leaves several practical implementation questions unresolved. For example, the statute defines 'chip-enabled' and ties standards to consultation with NIST, Treasury, and ASC X9, yet the specifics of encryption, offline authentication, tokenization, and liability allocation in mixed online/in-person fraud scenarios will depend on rulemaking and vendor contracts.
States with older payment infrastructures face tight timelines: issuing chip-enabled cards within two years of final regulations and completing a full reissuance within five years could strain local procurement, increase issuance errors, and create temporary confusion for beneficiaries.
Another tension concerns accessibility versus security. The bill preserves nondigital user interfaces and requires a 99% uptime target, multilingual support, and a 3-business-day replacement promise, but stricter terminal and card requirements can still raise barriers — merchants in low-margin rural locations may struggle to buy compliant terminals even with grants, and households that lack smartphones or stable mailing addresses may encounter trouble activating or receiving reissued chip cards.
The statutory prohibition on PIN/password practices that conflict with NIST SP 800-63B protects against harmful password policies, yet implementing NIST guidance in low-resource contexts (for example, fallback customer-service authentication after a lost credential) will require operational design choices that the statute does not prescribe.
Finally, the reporting provisions create a dual-access model — public trend reports and a restricted annex for sensitive merchant or law-enforcement information. That split protects investigations but complicates transparency and vendor risk assessments: researchers and some State actors may lack access to the detailed merchant-level data needed to prioritize protections at the local level.
USDA’s ability to collect consistent, comparable incident data from many State systems (some of which will be modernized at different paces) is an unresolved implementation risk that will determine whether the policy actually reduces fraud or merely redistributes where and how it occurs.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.