The bill amends the Food and Nutrition Act of 2008 to impose new cybersecurity and usability requirements for Electronic Benefit Transfer (EBT) systems. Key mandates include a timetable for issuing chip-enabled (EMV-like) EBT cards, required digital and nondigital user interfaces with an API for third-party delegation, expanded data-sharing and investigative powers for the USDA Office of Inspector General (OIG), and a civil penalty equal to twice the value of stolen SNAP benefits.
These changes shift substantial technical, operational, and compliance obligations onto State agencies, EBT processors, retailers, and vendors while creating new tools for federal enforcement and reporting. State and private actors will face phased deadlines, mandatory reporting, and restrictions on password/PIN practices that align with NIST guidance — all intended to reduce payment-card cloning and cyber-enabled SNAP fraud but likely to require sizeable system upgrades and operational adjustments.
At a Glance
What It Does
Requires the Secretary of Agriculture to promulgate cybersecurity regulations for EBT systems, mandates chip-enabled EBT cards on a multi-year schedule, establishes minimum user-interface requirements (web, mobile, SMS, voice, nondigital) and a no-fee API for third-party delegation, expands USDA OIG authority to investigate cyber-enabled benefit theft and subpoena data, and creates a civil penalty equal to twice the value of benefits stolen.
Who It Affects
State SNAP agencies and their EBT processors/vendors must update card stock, back-end systems, and user interfaces; retailers and wholesale food concerns must deploy chip-enabled payment terminals at each location; the USDA OIG, DOJ, and law enforcement partners gain broader investigative powers; SNAP households face new opt-in transaction notices and account controls.
Why It Matters
The bill codifies private-sector payment security norms into the SNAP ecosystem, establishing national minimums and enforcement tools for a federally funded benefits program. It centralizes incident data and creates timelines that will drive procurement, software development, and compliance work across states, vendors, and retailers.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill layers three kinds of changes onto the existing SNAP payment system: enforcement, card and terminal technology, and consumer-facing account features. Enforcement changes expand the USDA Inspector General’s remit to investigate cyber-enabled crimes against SNAP, authorize subpoenas and warrants, and explicitly permit the OIG to request data from State EBT processors and vendors and to coordinate with DOJ, FBI, DHS, Secret Service, and banks.
Parallel to expanded authority, the bill authorizes the Secretary to issue rules and allocate funds to support those activities.
On the payments side, the secretary must issue cybersecurity and digital-service regulations within two years and then review them every five years. The regulations must require States to begin issuing chip-enabled EBT cards within two years of final rules and phase out magnetic-stripe cards: new cards may not be magnetic-stripe after four years and all existing mag-stripe cards must be reissued as chip-enabled within five years.
States must reissue cards on a consumer-friendly schedule and deactivate prior cards once the replacement is delivered or activated. Retailers seeking SNAP authorization must have chip-enabled terminals at every retail location within 180 days after the USDA finalizes its regulations.Consumer-facing requirements are prescriptive.
States must offer a set of user interfaces — at minimum a web portal (mobile-friendly), a mobile app, SMS, voice, and a nondigital option — and maintain an API that allows households to delegate account access to third-party software at no fee. States must offer opt-in transaction alerts and searchable 12-month transaction histories; provide mechanisms to report suspected fraud via each interface; allow households to freeze/unfreeze card use for manually entered card numbers; and offer tokenization or virtual-card-number options for online purchases.
The bill also bars State password/PIN rules that conflict with NIST Digital Identity Guidelines, requires public data collection about interface uptime and adopted security measures, and requires biennial public reporting with a restricted annex for law enforcement-sensitive material.To reduce interruption of benefits, the bill requires States to provide replacement cards — by mail or in person per household choice — within three business days of request when a card is damaged, stolen, frozen due to fraud, or malfunctioning; it prohibits replacement fees in those circumstances. Finally, the bill establishes a civil penalty for anyone who knowingly uses or transfers SNAP benefits without authorization equal to twice the value of the benefits lost, allows the Secretary to collect that penalty administratively or in federal court, and channels recovered funds toward reimbursing households and supporting OIG investigative costs.
The Five Things You Need to Know
The bill gives USDA OIG explicit authority to subpoena state EBT processors and vendors, execute warrants, and coordinate multi‑jurisdictional cyber investigations.
States must begin issuing chip-enabled EBT cards within 2 years of final USDA regulations, stop issuing magnetic-stripe cards for new issuance after 4 years, and reissue all existing mag-stripe cards as chip-enabled within 5 years.
A civil penalty equal to twice the value of stolen SNAP benefits may be assessed administratively or via federal civil action; recovered funds are earmarked to reimburse households and support OIG investigations.
States must provide replacement EBT cards (mail or in-person per household choice) within 3 business days of request when a card is damaged, lost, malfunctioning, stolen, or frozen due to fraud, and may not charge replacement fees for those causes.
Retailers and wholesale food concerns seeking SNAP participation must install chip-enabled payment terminals at every retail location within 180 days after USDA finalizes its cybersecurity regulations.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Expanded USDA OIG investigative and coordination authority
This provision gives the USDA Inspector General authority to investigate cyber-enabled SNAP benefit theft (skimming, cloning, phishing, spoofing, unauthorized EBT access), issue subpoenas and warrants, make civil or criminal referrals, and obtain data from State processors and vendors. It also authorizes coordination with DOJ, FBI, DHS, Secret Service, state/local law enforcement, and financial institutions, and authorizes the Secretary to fund OIG activities. Practically, this centralizes federal investigative leverage over fragmented state EBT ecosystems and creates a statutory hook for cross-jurisdictional evidence requests and joint enforcement operations.
Civil penalty for unauthorized access or use of SNAP benefits
The bill creates a civil penalty equal to twice the value of benefits knowingly misused and permits the Secretary to collect it administratively or pursue a civil action in federal court. Funds recovered must offset household reimbursements and cover enhanced OIG investigatory costs. That dual collection pathway speeds administrative recovery but also raises questions about evidentiary standards and how the Secretary will balance household restitution with program integrity spending.
Comprehensive cybersecurity, card, and user-interface mandates
This long subsection defines 'chip-enabled' payment cards, references EMVCo standards as a consideration, and requires the Secretary to promulgate regulations within two years and review them every five years. Regulations must require a menu of user interfaces (web/mobile/SMS/voice/nondigital) with uptime and language requirements, provide an API for delegation to third parties at no charge, mandate opt-in transaction alerts and 12-month searchable histories, offer tokenization or virtual-card numbers for online use, allow freeze/unfreeze for manually entered card numbers, and set explicit timeframes for chip rollout (2/4/5 year milestones). It also bars state PIN/password rules that contradict NIST SP 800‑63B, requires data collection on interface uptime and security measures, and orders biennial public reports with a law-enforcement annex.
Protections to avoid benefit access loss after card problems
The bill tightens rules to require States to deliver replacement EBT cards within three business days after a household requests one and to allow households to choose mail or in-person pickup. It elevates rapid replacement to a regulatory requirement to prevent households from losing access to benefits during card replacement or fraud resolution, changing operational SLAs for state agencies and vendors.
Prohibition on replacement fees in common failure scenarios
States may not charge replacement fees when cards are replaced for malfunction, suspected or reported fraud by outsiders, expiration, or required replacements under the new chip rules. This narrows prior state discretion to levy fees and shifts replacement costs onto State programs or vendors unless alternative funding is provided.
Retailer requirement for chip-enabled payment terminals
The Secretary must require retail food stores and wholesale food concerns seeking SNAP authorization or reauthorization to install chip-enabled payment terminals at each location within 180 days after USDA finalizes its regulations. This makes terminal-level EMV acceptance a condition of program participation, creating a compliance hurdle — particularly for small or remote retailers — and aligning merchant-side protections with the card-side mandates.
Puerto Rico EBT security report
USDA must produce a report within one year on the cloning resistance of EBT cards issued in Puerto Rico and recommend improvements if necessary, with an optional restricted annex. This directs attention to territory-specific vulnerabilities and creates a discrete deliverable that may inform procurement or targeted security fixes.
Conforming amendments
This section cleans up and realigns provisions in the Consolidated Appropriations Act, 2023 related to SNAP reimbursement authorities. Mechanically it removes and redesignates certain paragraphs and updates cross-references to conform with the new regulatory and enforcement architecture created by this bill.
This bill is one of many.
Codify tracks hundreds of bills on Social Services across all five countries.
Explore Social Services in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- SNAP households — get faster replacement cards (3 business days), opt-in transaction alerts, searchable 12‑month transaction histories, tokenized online options, and the ability to freeze/unfreeze card use, which reduces exposure to cloning and unauthorized transactions.
- Federal and state law enforcement — USDA OIG gains subpoena power and explicit authority to coordinate across jurisdictions and with federal partners, improving investigative reach into cross‑state EBT fraud schemes.
- Consumers and the broader payments ecosystem — aligning EBT security with private‑sector standards (chip tokens, NIST guidance) reduces systemic cloning risk that can spill over into merchant liability and chargeback costs.
- Retailers that adopt updated terminals — stand to reduce fraud-related losses and liability from counterfeit card transactions once chip acceptance and tokenized online flows are in place.
Who Bears the Cost
- State SNAP agencies — must fund or procure new chip card stock, update user interfaces, maintain APIs, meet uptime/language requirements, and absorb replacement card logistics within short timelines.
- EBT processors and contracted vendors — required to implement EMV-like chip support, tokenization, free API endpoints, and NIST-compliant identity flows, implying substantial development, certification, and operations expense.
- Small and rural retailers — must deploy chip-enabled terminals at every location within a tight window to remain eligible for SNAP, creating up-front hardware and integration costs and operational disruption.
- USDA (program management) — faces new data-collection, reporting, and oversight responsibilities, including the potential need to fund OIG operations and provide technical assistance to States.
- Third-party developers and fintechs — must integrate with State APIs but cannot be charged for API access; they also inherit responsibilities for protecting delegated account access and will be subject to whatever rules States and USDA impose.
Key Issues
The Core Tension
The central dilemma is security versus access: the bill strengthens technical defenses and centralized enforcement to reduce sophisticated fraud, but those same technical upgrades and timelines place operational and financial burdens on States, vendors, and small retailers and risk creating short‑term access barriers for the vulnerable households the program serves.
The bill pushes SNAP’s payment architecture toward contemporary card-security technology and modern digital services, but it does so with hard deadlines and broad obligations that raise practical tensions. The chip rollout schedule (begin issuing within 2 years; phase out mag-stripe issuance by year 4; complete reissuance by year 5) is aggressive for programs that rely on multiple state contracts and legacy processors — procurement cycles, vendor certification (including EMVCo-like testing), and physical card production could create bottlenecks.
States will need clear funding and technical support to avoid service disruptions.
Data sharing and expanded OIG power improve detection and prosecution capabilities but raise governance questions: what privacy and access controls will protect household transaction data when the OIG and interagency partners receive processor‑level feeds? The bill requires public reporting and an optional restricted annex, but it does not specify retention limits, data-minimization practices, or oversight mechanisms for the no‑fee API that allows third‑party delegation — creating potential vectors for privacy risk or unintended exposure if API security is uneven across states.
Finally, barring state PIN/password practices that conflict with NIST SP 800‑63B sets a federal floor for authentication, but it may also eliminate some legacy practices states use for accessibility; translating NIST guidance into accessible workflows for low‑tech or low-literacy households will require careful implementation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.