- Record: Senate Floor
- Section type: Amendments
- Chamber: Senate
- Date: June 24, 2026
- Congress: 119th Congress
- Why this source matters: This section came from the Senate floor portion of the record.
SA 6196. Mr. WYDEN (for himself, Mr. Fetterman, Mr. Cassidy, Mr. Booker, Mr. McCormick, Mrs. Britt, and Mr. Justice) submitted an amendment intended to be proposed by him to the bill S. 4784, to authorize appropriations for fiscal year 2027 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:
At the appropriate place, insert the following:
SEC. . ENHANCED CYBERSECURITY FOR SNAP.
(a) Short Title.—This section may be cited as the
“Enhanced Cybersecurity for SNAP Act of 2026”.
(b) Definition of EBT Card.—Section 3(i) of the Food and
Nutrition Act of 2008 (7 U.S.C. 2012(i)) is amended by
inserting “(or any successor electronic benefit transfer
product)” before the period at the end.
(c) Enhanced Cybersecurity and Online Transaction Security
for EBT Cards.—Section 7(h) of the Food and Nutrition Act of
2008 (7 U.S.C. 2016(h)) is amended by adding at the end the
following:
“(15) Cybersecurity of ebt cards.—
“(A) Definitions.—In this paragraph:
“(i) Chip-enabled.—
“(I) In general.—The term `chip-enabled', with respect to
a payment card, means a payment card that uses industry
standard secure payment technology, as identified by the
Secretary, in consultation with the Secretary of the Treasury
and the Director of the National Institute of Standards and
Technology, that—
“(aa) provides for secure card-based payment; and
“(bb) is resistant to cloning.
“(II) Chip card technology.—The Secretary, in
consultation with the Secretary of the Treasury and the
Accredited Standards Committee X9, shall consider whether the
secure payment technology described in subclause (I) should
meet the industry standards for contact and contactless
payments.
“(ii) Mobile friendly.—The term `mobile friendly' has the
meaning given the term in section 3559(b) of title 44, United
States Code.
“(iii) NIST pin and password standards.—The term `NIST
PIN and password standards' means the PIN and password
standards described in Special Publication 800-63B entitled
`Digital Identity Guidelines' (or a successor document) of
the National Institute of Standards and Technology.
“(iv) PIN.—The term `PIN' has the meaning given the term
`personal identification number (PIN)' in section 271.2 of
title 7, Code of Federal Regulations (or a successor
regulation).
“(B) Regulations.—
“(i) In general.—Not later than 2 years after the date of
enactment of this paragraph, the Secretary shall promulgate,
and every 5 years thereafter, the Secretary shall review and
update as necessary, cybersecurity and digital service
regulations relating to EBT cards and mobile technologies
under the supplemental nutrition assistance program,
including, at a minimum, to ensure that cybersecurity
measures for EBT cards and mobile technologies keep pace with
security safeguards used by the private sector and required
by Federal agencies for credit, debit, and other payment
cards and mobile technologies.
“(ii) Requirements.—The Secretary shall ensure that the
cybersecurity and digital service regulations described in
clause (i) require the following:
“(I)(aa) Each State agency shall operate the user
interfaces listed on the list of required user interfaces
maintained by the Secretary under item (dd)(AA), in
accordance with this subclause, 1 or more user interfaces of
which households in the State may, at the election of the
applicable household, use to manage the EBT account of the
applicable household.
“(bb)(AA) A State agency may operate other user interfaces
under item (aa) in addition to the required user interfaces
on the list maintained by the Secretary under item (dd)(AA).
“(BB) Any web-based online portal operated by a State
agency as a user interface shall be mobile friendly.
“(cc) Each user interface offered by a State agency under
items (aa) and (bb), as applicable, shall—
“(AA) provide information in each language in which the
State agency is required to make material available pursuant
to section 272.4(b) of title 7, Code of Federal Regulations
(or a successor regulation);
“(BB) be available to households at least 99 percent of
the time; and
“(CC) include any other features required by the
Secretary.
“(dd)(AA) The Secretary shall maintain a list of required
user interfaces for purposes of item (aa), which may include
a web-based online portal and a mobile application.
“(BB) During the 10-year period following the date on
which the regulations promulgated pursuant to clause (i)
become final, unless the Secretary extends that period, the
Secretary shall maintain on the list under subitem (AA) the
following user interfaces: text message, voice telephone
service, and United States Postal Service mail.
“(II)(aa) Each State agency shall provide to households on
an opt-in basis—
“(AA) through each digital user interface offered under
subclause (I), timely electronic notice of transactions using
the EBT account of the household; and
“(BB) through digital or practicable user interfaces
offered under subclause (I), access to, including the ability
to search, historical transactions for not less than the
preceding 12 months.
“(bb) Transaction information under subitems (AA) and (BB)
of item (aa) shall include the amount of the transaction, the
merchant for the transaction, and the city and State of the
merchant.
“(cc) Each State agency shall offer households the
ability, through each user interface offered under subclause
(I), to report a fraudulent transaction to the State agency.
“(dd) A State agency shall not require a household to
respond to or acknowledge a notice of transaction delivered
pursuant to item (aa)(AA).
“(ee) A State agency shall notify any household that has
reported an instance of EBT card skimming or fraud, or is
otherwise identified as being a victim of EBT card skimming
or fraud, of—
“(AA) any State or Federal funds that may be reimbursed if
the household experiences fraud again; and
“(BB) the ability of the household to apply fraud-
prevention measures.
“(III) Each State agency shall provide households issued
an EBT card the ability to check, through each user interface
offered under subclause (I), the enrollment status of the
household.
“(IV) Except as provided in clause (iii)(I), not later
than 2 years after the date on which the regulations
promulgated pursuant to clause (i) become final, State
agencies shall begin issuing chip-enabled EBT cards.
“(V) Except as provided in clause (iii)(I), not later than
4 years after the date on which the regulations promulgated
pursuant to clause (i) become final, State agencies may not
issue new EBT cards with magnetic stripes.
“(VI) Except as provided in subclauses (I) and (II) of
clause (iii), not later than 5 years after the date on which
the regulations promulgated pursuant to clause (i) become
final, State agencies shall be required to reissue any
existing valid EBT cards with magnetic stripes as chip-
enabled EBT cards without magnetic stripes.
“(VII) In the case of a chip-enabled EBT card reissued
pursuant to any of subclauses (IV) through (VI), absent
suspicion of fraud, as applicable, a State agency shall—
“(aa) reissue a new chip-enabled EBT card; and
“(bb) deactivate the current chip-enabled EBT card on the
earlier of—
“(AA) the date on which the new chip-enabled EBT card is
activated; and
“(BB) 90 days after the date on which the new chip-enabled
EBT card is sent to the household.
“(iii) Exceptions.—
“(I) Waivers.—The Secretary may issue a 1-time waiver of
an applicable deadline described in subclause (IV), (V), or
(VI) of clause (ii) with respect to a State agency, subject
to the conditions that—
“(aa) the State agency shall submit to the Secretary a
request for the waiver;
“(bb) the Secretary and the State agency shall agree that
insufficient adoption of payment terminals that accept chip-
enabled EBT cards has occurred among retail food stores in
the State;
“(cc) the waiver may extend the applicable deadline by not
more than 180 days; and
“(dd) the Secretary may not issue more than 2 waivers
pursuant to this subclause for a single State agency.
“(II) Early adopters.—The deadline described in clause
(ii)(VI) shall not apply to any State agency that commenced
the issuance of chip-enabled EBT cards without magnetic
stripes before the date of enactment of the Enhanced
Cybersecurity for SNAP Act of 2026.
“(iv) Sunset for requirement to use chip technology.—
“(I) In general.—Except as provided in subclause (II),
under the cybersecurity regulations described in clause (i),
all EBT cards issued during the 5-year period beginning on
the deadline for carrying out clause (ii)(VI) shall be chip-
enabled, unless the Secretary—
“(aa) provides a waiver for the applicable State agency
pursuant to clause (iii)(I); or
“(bb) extends that period for all State agencies.
“(II) Exceptions.—Subclause (I) shall not apply to EBT
cards issued—
“(aa) by a State agency described in clause (iii)(II);
“(bb) to victims of a disaster pursuant to section 5(h);
or
“(cc) solely for benefits under the summer electronic
benefits transfer for children program established under
section 13A of the Richard B. Russell National School Lunch
Act (42 U.S.C. 1762).
“(III) Successor electronic benefit transfer products.—
Effective beginning on the first day after the 5-year period
described in subclause (I), the Secretary may implement a
successor electronic benefit transfer product to a chip-
enabled EBT card required under this subparagraph pursuant to
a review of EBT card security measures conducted under clause
(i).
“(v) Rule of construction.—The cybersecurity and digital
service regulations described in clause (i) shall supersede
any regulations promulgated pursuant to section 501(a)(2) of
division HH of the Consolidated Appropriations Act, 2023 (7
U.S.C. 2016a(a)(2)).
“(C) Reimbursement.—Notwithstanding any other provision
of this Act, each State agency upgrading EBT cards to comply
with the regulations promulgated pursuant to subparagraph
(B)(i) shall receive full reimbursement from the Secretary
for all reasonable costs incurred by the State agency during
the 5-year period beginning on the date on which the
regulations become final, including—
“(i) the 1-time up-front costs paid by the State agency to
EBT card vendors;
“(ii) the additional annual fees associated with chip-
enabled cards paid by State agencies to EBT card vendors; and
“(iii) postage or other delivery-related costs.
“(D) Prohibition on password and pin requirements
inconsistent with federal cybersecurity standards.—Effective
beginning on the date that is 1 year after the date of
enactment of this paragraph, a State agency may not require,
with respect to a PIN for use of an EBT card or a password
for access to an online account or mobile application
managing the EBT card, that—
“(i) the PIN or password be periodically changed in
circumstances that are prohibited by the NIST PIN and
password standards; or
“(ii) the password meet complexity requirements that are
prohibited by the NIST PIN and password standards.
“(E) Grant program for chip-enabled ebt cards.—
“(i) Definitions.—In this subparagraph:
“(I) Administering entity.—The term `administering
entity' means an entity awarded a grant under clause (ii) to
provide subgrants to eligible entities.
“(II) Eligible entity.—The term `eligible entity' means—
“(aa) an entity described in paragraph (1) or (3) of
section 3(o) that—
“(AA) is authorized to participate in the supplemental
nutrition assistance program under section 9;
“(BB) does not have payment terminals that accept chip-
enabled EBT cards; and
“(CC) is located in an area with limited grocery access,
as determined by the Secretary; and
“(bb) an entity described in paragraph (2), (4), or (5) of
section 3(o) that meets the requirements described in
subitems (AA) and (BB) of item (aa).
“(ii) Grants.—The Secretary shall establish a grant
program to award a grant to an administering entity to
provide subgrants to eligible entities to upgrade to chip-
compatible payment terminals that support contact and
contactless payment card technology.
“(iii) Authorization of appropriations.—There is
authorized to be appropriated to the Secretary to carry out
this subparagraph $15,000,000 for each of fiscal years 2027
through 2031.
“(iv) Sunset.—The grant program under this subparagraph
shall terminate on September 30, 2031.
“(F) Public reports.—
“(i) In general.—Not later than 1 year after the date of
enactment of this paragraph, and every 2 years thereafter
during the 5-year period beginning on the date on which the
regulations promulgated pursuant to subparagraph (B)(i)
become final, the Secretary shall submit to the Committee on
Agriculture, Nutrition, and Forestry of the Senate and the
Committee on Agriculture of the House of Representatives, and
make publicly available on the website of the Department of
Agriculture, a report that, to the maximum extent
practicable—
“(I) identifies trends relating to the theft of benefits,
including—
“(aa) the frequency of theft of benefits;
“(bb) the locations at which EBT cards are compromised;
“(cc) the methods by which EBT cards are compromised;
“(dd) the number and value of reported thefts from online
EBT card transactions; and
“(ee) the relevant online retailers most commonly
compromised;
“(II) evaluates the effectiveness of existing
cybersecurity regulations for the supplemental nutrition
assistance program, including identifying ineffective
measures and the compliance burden borne by individual
benefit recipients;
“(III) describes—
“(aa) the measures and methods developed, and
considerations taken, under paragraph (16)(A); and
“(bb) the determinations made under paragraph (16)(B)(ii);
“(IV) describes the efforts of State agencies—
“(aa) to update cybersecurity measures for EBT cards; and
“(bb) to reimburse stolen benefits;
“(V) examines usability issues of EBT cards, including
issues that present barriers to households using benefits or
affect fraud prevention goals; and
“(VI) recommends potential new methods to consistently
detect, track, report, and prevent theft of benefits,
including theft of data described in paragraph (16)(A)(i)(I).
“(ii) Restricted annex.—A publicly available report under
this subparagraph—
“(I) shall exclude any information that—
“(aa) relates to methods to exploit EBT card and
cybersecurity weaknesses, as determined by the Secretary; or
“(bb) is identifying or proprietary merchant information;
but
“(II) may include information described in subclause (I)
in a nonpublicly available annex.
“(16) Online transaction security.—
“(A) In general.—In promulgating and updating, as
necessary, the regulations under paragraph (15)(B)(i), the
Secretary shall, with respect to online transactions using
EBT cards—
“(i) require security measures that—
“(I) are effective in detecting and preventing theft of
benefits through online transactions, including the theft of
data from online merchants that may compromise the ability of
a household to use benefits in transactions with other
merchants, either online or in-person; and
“(II) prevent sensitive data from being stolen during
online transactions and securely manage sensitive data
generated by online transactions, including through
cybersecurity enhancements for online retailers;
“(ii) establish standard reporting methods for State
agencies to collect and share with the Secretary data on the
scope of benefits and data being stolen through online
transactions; and
“(iii) in carrying out clauses (i) and (ii), take into
consideration the feasibility of cost, availability, and
implementation for State agencies.
“(B) Consultation.—In carrying out subparagraph (A), the
Secretary shall consult with the Director of the
Administration for Children and Families, the Attorney
General of the United States, the Director of the Secret
Service, State agencies, retail food stores, and EBT card
contractors—
“(i) regarding the measures, methods, and considerations
under that subparagraph; and
“(ii) to determine—
“(I) how benefits are being stolen and sensitive data are
being compromised through online transactions; and
“(II) how those stolen benefits and data are being
used.”.
(d) Ensuring No Loss of Access to Benefits Due to EBT Card
Damage, Loss, or Fraud.—Section 7(h)(7) of the Food and
Nutrition Act of 2008 (7 U.S.C. 2016(h)(7)) is amended—
(1) by striking “Regulations” and inserting the
following:
“(A) In general.—Regulations”; and
(2) by adding at the end the following:
“(B) Ensuring no loss of access to benefits due to ebt
card damage, loss, or fraud.—Not later than 1 year after the
date of enactment of the Enhanced Cybersecurity for SNAP Act
of 2026, the Secretary shall promulgate regulations requiring
the following:
“(i) If an EBT card is damaged, no longer functions
properly, is stolen, or is frozen due to fraud, the
applicable State agency shall take the necessary steps to
ensure that a replacement EBT card is issued to the
applicable household, either by mail or in person, as
selected by the household, not later than 5 business days
after the State agency receives from the household a request
for a replacement EBT card.
“(ii) A State agency shall not require, but may offer as
an option, in-person collection of a new or replacement EBT
card.”.
(e) No Replacement Fees for Certain EBT Cards.—Section
7(h)(8)(A) of the Food and Nutrition Act of 2008 (7 U.S.C.
2016(h)(8)(A)) is amended—
(1) by striking “A State agency” and inserting the
following:
“(i) In general.—Subject to clauses (ii) and (iii), a
State agency”; and
(2) by adding at the end the following:
“(ii) Exceptions.—Effective beginning on the date that is
60 days after the date of enactment of the Enhanced
Cybersecurity for SNAP Act of 2026, a State agency may not
collect a charge under clause (i) if—
“(I) the EBT card to be replaced has not been replaced for
any reason more than 3 times during the 1-year period ending
on the date on which the replacement EBT card is issued; or
“(II) the replacement of the EBT card is due to—
“(aa) theft of, or fraud relating to, the EBT card; or
“(bb) required replacement in compliance with the
regulations promulgated pursuant to paragraph (15)(B)(i).
“(iii) Amount.—The amount of a charge under clause (i)
shall be equal to not more than the cost of issuing the
replacement EBT card.”.
(f) Requirement for Retailer Use of Chip-enabled Payment
Terminals as a Condition of SNAP Participation.—Section 9(a)
of the Food and Nutrition Act of 2008 (7 U.S.C. 2018(a)) is
amended—
(1) in paragraph (2)—
(A) by striking “(2) The Secretary” and inserting the
following:
“(2) Regulations.—The Secretary”; and
(B) by indenting the margins of subparagraphs (A) and (B)
appropriately;
(2) by indenting the margin of paragraph (3) appropriately;
and
(3) by adding at the end the following:
“(5) Chip-enabled payment terminals.—
“(A) In general.—Except as provided in subparagraph (B),
not later than 180 days after the date on which the
regulations promulgated pursuant to section 7(h)(15)(B)(i)
become final, the Secretary shall require retail food stores
and wholesale food concerns seeking authorization or
reauthorization to accept and redeem benefits under the
supplemental nutrition assistance program to have a chip-
enabled (as defined in section 7(h)(15)(A)) payment terminal
at each retail location of the retail food store or wholesale
food concern.
“(B) Exception.—Subparagraph (A) shall not apply to any
transaction involving a retail food store or wholesale food
concern that occurs exclusively online.”.
(g) GAO Report.—Not later than 2 years after the date of
enactment of this Act, the Comptroller General of the United
States shall submit to the Committee on Agriculture,
Nutrition, and Forestry of the Senate and the Committee on
Agriculture of the House of Representatives a report that
describes—
(1) the actions carried out by State agencies (as defined
in section 3 of the Food and Nutrition Act of 2008 (7 U.S.C.
2012)), retail food stores (as defined in that section), and
wholesale food concerns (within the meaning of that Act (7
U.S.C. 2011 et seq.)) to decrease or eliminate risks with
respect to transactions involving EBT cards (as defined in
that section);
(2) the feasibility of the actions described in paragraph
(1); and
(3) the impact of the risks described in paragraph (1) on—
(A) implementation of the supplemental nutrition assistance
program established under the Food and Nutrition Act of 2008
(7 U.S.C. 2011 et seq.) by those retail food stores and
wholesale food concerns; and
(B) the redemption of benefits (as defined in section 3 of
that Act (7 U.S.C. 2012)) by recipients.
(h) Report on EBT Cards Issued in Puerto Rico.—
(1) In general.—Not later than 1 year after the date of
enactment of this Act, the Secretary of Agriculture shall
submit to the Committee on Agriculture, Nutrition, and
Forestry of the Senate and the Committee on Agriculture of
the House of Representatives, and make publicly available on
the website of the Department of Agriculture, a report on the
security of EBT cards (as defined in section 3 of the Food
and Nutrition Act of 2008 (7 U.S.C. 2012)) issued in the
Commonwealth of Puerto Rico, including—
(A) the resistance of those EBT cards to cloning; and
(B) if appropriate, recommendations for improving the
security of the electronic benefit transfer system against
EBT card cloning-based fraud.
(2) Restricted annex.—A publicly available report under
this subsection—
(A) shall exclude any information that—
(i) relates to methods to exploit EBT card and
cybersecurity weaknesses, as determined by the Secretary of
Agriculture; or
(ii) is identifying or proprietary merchant information;
but
(B) may include information described in subparagraph (A)
in a nonpublicly available annex.