Why banks need a payroll connectivity API that prioritizes information security
copy gray iconlinkedin graytwitter grey

Why banks need a payroll connectivity API that prioritizes information security

December 6, 2022

Between July 2021 and July 2022, the average number of APIs per organization increased by 82%, from 89 to over 162. However, malicious API attack traffic also grew, causing 54% of companies to hit the brakes on rolling out new apps due to security concerns.

As a payroll data connectivity API provider, Pinwheel is well aware of the risks that come with poor data security. Financial service providers rely on payroll data for important processes such as direct deposit switching and income and employment verification. With an API for payroll connectivity, they can automate these processes and easily access verified consumer-permissioned data

However, exposure of this information in a data breach could lead to hacked bank accounts, identity theft, and other serious consequences.

Common attacks against APIs include SQL injections, distributed denial-of-service (DDoS) attacks, and cross-site scripting (XSS). To successfully defend their customers’ data against ever-evolving attacks, financial service providers should integrate APIs that employ an enterprise security strategy with the help of top data security engineers. 

What happens when payroll security is compromised

In December 2021, workforce management company Ultimate Kronos Group (UKG) fell victim to a ransomware attack, resulting in nothing short of chaos for companies such as PepsiCo, Whole Foods, and FedEx.

Because the attack targeted software that employers use for payroll and employee time-tracking, workers across the country received paychecks that were significantly lower than expected. Meanwhile, employers had to find an alternative way to process employees’ pay. The city of Cleveland, for example, put together a “war room” to make payroll for 8,000 employees. Some companies reverted to using paper checks.

The data breach also exposed employees’ personally identifiable information, leaving them vulnerable to identity theft. In one lawsuit against UKG, an employee of a company using UKG solutions claims he was notified by his credit card company that his Social Security number had been found on the dark web. After the data breach, the employee was targeted by spam calls and emails. The lawsuit also reports that the banking information of some PepsiCo employees was allegedly hacked after the breach.

With these consequences in mind, banks and fintechs must do everything in their power to avoid and prevent data breaches. “Security incidents can lead to reputational damage for financial service providers and a loss of customers who no longer trust the organization or its partners. This is often the case when sensitive customer data is exposed, which can create identity theft risks to consumers,” explains Jeff Hudesman, Chief Security Information Officer (CISO) at Pinwheel.

Must-have security features for payroll data connectivity APIs

Accessing payroll data with an API is much safer than relying on emails and manual PDF uploads. But APIs still require an advanced security strategy. When consumers use a payroll data connectivity API to update their direct deposit settings or grant a lender access to their income data, they do so with the trust that their information won’t get into the wrong hands. Therefore, financial service providers must implement APIs with robust security measures, starting with access control.

Broken access control is the number-one web application security risk, allowing unauthorized users to access information or take action they shouldn’t be able to do. Pinwheel uses the OAuth2 framework to secure access control across different scenarios. With OAuth2, an app can access data hosted by another app on a user’s behalf without exposing their credentials. 

Encryption is also essential for APIs that exchange sensitive user information. More specifically, API providers should secure data using Transport Layer Security (TLS), an encryption protocol that safeguards apps from data breaches. Pinwheel, for example, implements both TLS and the Advanced Encryption Standard (AES 256). AES was originally developed for the U.S. government and was approved by the National Security Agency to protect highly sensitive intelligence. We also implement encryption when the data is in transport and at rest.

Alongside encryption, APIs should undergo independent security assessments. On a yearly basis, Pinwheel hires independent third-party security experts to provide an in-depth assessment of our data security, including a code analysis and a detailed security review. 

Twice a year, Pinwheel also conducts penetration testing of our systems to test for exploits, such as access controls, XSS, cross-site request forgery (CSRF), and SQL injection. “Penetration testing refers to the process of methodically hacking into your system and network to identify and expose as many vulnerabilities as you possibly can, from multiple vantage points. Ethical hackers and security researchers perform these tests with our full knowledge and authorization. This enables us to find security issues and quickly remediate them,” explains Pinwheel’s CISO.

Financial service providers that plan on integrating an API should also closely examine the security certifications of the vendor. The benefits of certification include:

  • Defined responsibilities and business processes for information security 
  • A culture of information security and diligence 
  • Reduced security incidents through implemented controls specific to the API’s unique risks and assets 
  • Meeting additional security compliance requirements

The ISO 27001 certification, for instance, ensures API providers follow best practices related to information security and are prepared to handle any threats. A SOC 2 Type II report is another certification to take note of; it audits an organization’s security controls over a period of at least six months.

Partner with the only API provider in the industry with a CISO

Information security is a marathon, not a sprint. It’s not a job that is ever finished, and any strategy that protects consumer data should constantly evolve to address and stay ahead of security threats. That’s why Pinwheel has a CISO at the helm of our security strategy.

As the only API in the payroll connectivity space with a CISO, we are best prepared to maintain a secure system and address any potential risks to consumer data in the future. From using bank-level encryption protocols to monitoring our systems 24/7, fintechs and financial institutions can rest assured that their customers’ information is safe.

Contact us to learn more about Pinwheel’s dedication to information security and discover our solutions across direct deposit switching, income verification, and more.

Always stay up to date

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View our Privacy Policy   ➔

Up next

How to reduce default risk with consumer-permissioned data

How to reduce default risk with consumer-permissioned data

Read more  ➔
Digital lending technologies and trends that are shaping the industry

Digital lending technologies and trends that are shaping the industry

Read more  ➔
4 technologies that improve fraud detection in banking

4 technologies that improve fraud detection in banking

Read more  ➔
Why automated income verification is a must-have feature for lenders

Why automated income verification is a must-have feature for lenders

Read more  ➔
December product release: 10% increase in conversion, enhanced security and access to pay frequency data

December product release: 10% increase in conversion, enhanced security and access to pay frequency data

Read more  ➔
A conversation with our Chief Information Security Officer

A conversation with our Chief Information Security Officer

Read more  ➔
Former CFPB Deputy Director Raj Date Joins Pinwheel as an Advisor

Former CFPB Deputy Director Raj Date Joins Pinwheel as an Advisor

Read more  ➔
Cash flow underwriting: Benefits & how to access cash flow data

Cash flow underwriting: Benefits & how to access cash flow data

Read more  ➔
Why banks need a payroll connectivity API that prioritizes information security

Why banks need a payroll connectivity API that prioritizes information security

Read more  ➔
How alternative credit data can benefit lenders

How alternative credit data can benefit lenders

Read more  ➔
Tech Spotlight: Implementing your first feature flag

Tech Spotlight: Implementing your first feature flag

Read more  ➔
Pinwheel Welcomes New Advisor, Ethan Yeh, to Advance Pinwheel’s Data Science Strategy

Pinwheel Welcomes New Advisor, Ethan Yeh, to Advance Pinwheel’s Data Science Strategy

Read more  ➔
Tech spotlight: Securing access control across internal services

Tech spotlight: Securing access control across internal services

Read more  ➔
The anatomy and potential of payroll data: Transforming complex data into insights

The anatomy and potential of payroll data: Transforming complex data into insights

Read more  ➔
Beyond the credit score: Propelling consumer finance into the future with income data

Beyond the credit score: Propelling consumer finance into the future with income data

Read more  ➔
Ayokunle (Ayo) Omojola joins Pinwheel’s Board of Directors

Ayokunle (Ayo) Omojola joins Pinwheel’s Board of Directors

Read more  ➔
Conquering conversion: Engineering practices developed to help customers

Conquering conversion: Engineering practices developed to help customers

Read more  ➔
Driving Customer Delight: From implementation and beyond

Driving Customer Delight: From implementation and beyond

Read more  ➔
Pinwheel Supports Open Finance Data Security Standard

Pinwheel Supports Open Finance Data Security Standard

Read more  ➔
How we design Pinwheel to solve real customer problems

How we design Pinwheel to solve real customer problems

Read more  ➔
What is consumer-permissioned data and what are its benefits?

What is consumer-permissioned data and what are its benefits?

Read more  ➔
How payroll data connectivity can help financial service providers in tumultuous market conditions

How payroll data connectivity can help financial service providers in tumultuous market conditions

Read more  ➔
Pinwheel now supports document uploads to supplement payroll data

Pinwheel now supports document uploads to supplement payroll data

Read more  ➔
Brian Karimi-Pashaki joins Pinwheel as Partnerships Lead

Brian Karimi-Pashaki joins Pinwheel as Partnerships Lead

Read more  ➔
Optimizing for conversion with smarter employer mappings

Optimizing for conversion with smarter employer mappings

Read more  ➔
What are super apps and how will they impact financial services?

What are super apps and how will they impact financial services?

Read more  ➔
Increase conversions and maximize share of wallet with Pinwheel's new UX update

Increase conversions and maximize share of wallet with Pinwheel's new UX update

Read more  ➔
Pinwheel announces support for taxes

Pinwheel announces support for taxes

Read more  ➔
Ryan Nier Joins Pinwheel as the Company’s first General Counsel

Ryan Nier Joins Pinwheel as the Company’s first General Counsel

Read more  ➔
The future of enabling earned wage access

The future of enabling earned wage access

Read more  ➔
Deliver earned wage access faster with Pinwheel Earnings Stream

Deliver earned wage access faster with Pinwheel Earnings Stream

Pinwheel Earnings Stream provides the necessary data and intelligence to reliably offer earned wage access (EWA) at scale.

Read more  ➔
Digital transformation in banking in 2022: What it means, trends & examples

Digital transformation in banking in 2022: What it means, trends & examples

Read more  ➔
June product release: Expanded connectivity to employers, a custom experience with Link API and more

June product release: Expanded connectivity to employers, a custom experience with Link API and more

Read more  ➔
Pinwheelie Spotlight: LaRena Iocco, Software Engineer

Pinwheelie Spotlight: LaRena Iocco, Software Engineer

Read more  ➔
Build fully custom experiences with Pinwheel’s Link API

Build fully custom experiences with Pinwheel’s Link API

Read more  ➔
Pinwheel expands connectivity to 1.5M employers

Pinwheel expands connectivity to 1.5M employers

Read more  ➔
Robert Reynolds joins Pinwheel as Head of Product

Robert Reynolds joins Pinwheel as Head of Product

Read more  ➔
Pinwheel obtains highest security certification in the industry

Pinwheel obtains highest security certification in the industry

Read more  ➔
Lauren Crossett becomes Pinwheel’s first Chief Revenue Officer

Lauren Crossett becomes Pinwheel’s first Chief Revenue Officer

Read more  ➔
Everything you should know about the role of APIs in banking

Everything you should know about the role of APIs in banking

Read more  ➔
Open finance: What is it and how does it impact financial services?

Open finance: What is it and how does it impact financial services?

Read more  ➔
How automated direct deposit switching benefits traditional banks

How automated direct deposit switching benefits traditional banks

Read more  ➔
Pinwheel Secure: Authentication optimized for market-leading conversion

Pinwheel Secure: Authentication optimized for market-leading conversion

Read more  ➔
Pinwheelie Spotlight: Elena Churilova, Software Engineer, Integrations

Pinwheelie Spotlight: Elena Churilova, Software Engineer, Integrations

Read more  ➔
May product release: Localization and downloadable pay stubs

May product release: Localization and downloadable pay stubs

Read more  ➔
How a payroll API can level up lenders and renters

How a payroll API can level up lenders and renters

Read more  ➔
The power of payroll APIs in consumer finance

The power of payroll APIs in consumer finance

Read more  ➔
Data Talks: Pinwheel’s Fortune 1000 coverage and top employer trends

Data Talks: Pinwheel’s Fortune 1000 coverage and top employer trends

Read more  ➔
April product release: Enabling connectivity to time and attendance data for 25M US workers

April product release: Enabling connectivity to time and attendance data for 25M US workers

Read more  ➔
Tech spotlight: Increasing engineering momentum at a systems level

Tech spotlight: Increasing engineering momentum at a systems level

Read more  ➔
How crypto exchanges can turn direct deposits into a fiat onramp

How crypto exchanges can turn direct deposits into a fiat onramp

Read more  ➔
March product release: Time and attendance coverage and Pinwheel's new online home

March product release: Time and attendance coverage and Pinwheel's new online home

Read more  ➔
Pinwheelie spotlight: Arianna Gelwicks, Tech Recruiting

Pinwheelie spotlight: Arianna Gelwicks, Tech Recruiting

Read more  ➔
What is payroll data and how it benefits proptech companies

What is payroll data and how it benefits proptech companies

Read more  ➔
Earned wage access: What is it and why does it matter?

Earned wage access: What is it and why does it matter?

Read more  ➔
How fintech APIs are transforming financial services

How fintech APIs are transforming financial services

Read more  ➔
Webinar: Unleash growth with income and payroll APIs

Webinar: Unleash growth with income and payroll APIs

Read more  ➔
February product release: Updated Link UX and data quality

February product release: Updated Link UX and data quality

Read more  ➔
Tech spotlight: Floating footer with React functional components

Tech spotlight: Floating footer with React functional components

Read more  ➔
Why a direct deposit switching API is a must-have for banks and neobanks

Why a direct deposit switching API is a must-have for banks and neobanks

Read more  ➔
Pinwheelie spotlight: Hale Ahangi, People Operations Lead

Pinwheelie spotlight: Hale Ahangi, People Operations Lead

Read more  ➔
Shift from a vicious to virtuous cycle: The foundation for a fairer financial system

Shift from a vicious to virtuous cycle: The foundation for a fairer financial system

Read more  ➔
January product release: Recurring access to income & employment

January product release: Recurring access to income & employment

Read more  ➔
Pinwheel’s Series B and our path towards a fairer financial future

Pinwheel’s Series B and our path towards a fairer financial future

We're excited to share that we have raised a $50M Series B funding round led by GGV Capital with participation from many others.

Read more  ➔
Pinwheelie spotlight: Devin DeCaro-Brown, Product Manager

Pinwheelie spotlight: Devin DeCaro-Brown, Product Manager

Read more  ➔
Tech spotlight: How to implement async requests in your Python code

Tech spotlight: How to implement async requests in your Python code

Read more  ➔
2021 recap and product update: An amazing year for Pinwheel

2021 recap and product update: An amazing year for Pinwheel

Read more  ➔
Charles Tsang joins Pinwheel as Head of Marketing

Charles Tsang joins Pinwheel as Head of Marketing

Read more  ➔
Pinwheelie spotlight: Octavio Roscioli, Senior Software Engineer

Pinwheelie spotlight: Octavio Roscioli, Senior Software Engineer

Read more  ➔
November product release: Beta launch of income & employment monitoring

November product release: Beta launch of income & employment monitoring

Read more  ➔
How can payroll data help with one’s financial picture?

How can payroll data help with one’s financial picture?

Read more  ➔
Pinwheelie spotlight: Caroline Lo, Software Engineer

Pinwheelie spotlight: Caroline Lo, Software Engineer

Read more  ➔
2021 company onsite: Bringing Pinwheelies together

2021 company onsite: Bringing Pinwheelies together

Read more  ➔
October product release: Beta launch of direct deposit allocation monitoring

October product release: Beta launch of direct deposit allocation monitoring

Read more  ➔
Why payroll data access is inevitable on your product roadmap

Why payroll data access is inevitable on your product roadmap

Read more  ➔
Security spotlight: SOC 2 compliance

Security spotlight: SOC 2 compliance

Read more  ➔
Jeff Hudesman joins Pinwheel as Chief Information Security Officer

Jeff Hudesman joins Pinwheel as Chief Information Security Officer

Read more  ➔
Welcoming John Whitfield, VP of Engineering

Welcoming John Whitfield, VP of Engineering

Read more  ➔
Announcing Pinwheel’s FCRA Compliance

Announcing Pinwheel’s FCRA Compliance

Read more  ➔
Pinwheel's statement on Section 1033

Pinwheel's statement on Section 1033

Read more  ➔
Pinwheel raises $20M Series A

Pinwheel raises $20M Series A

Read more  ➔
If I were a fintech founder

If I were a fintech founder

Read more  ➔
Pinwheelie spotlight: Phil Jen, Director of Product

Pinwheelie spotlight: Phil Jen, Director of Product

Read more  ➔
Celebrating women's history month with Sasha Pilch

Celebrating women's history month with Sasha Pilch

Read more  ➔
Tech spotlight: How we re-launched our API docs

Tech spotlight: How we re-launched our API docs

Read more  ➔
Why I chose Pinwheel: Payroll APIs as the next frontier

Why I chose Pinwheel: Payroll APIs as the next frontier

Read more  ➔
Lunch and learn with Nik Milanović

Lunch and learn with Nik Milanović

Read more  ➔
Pinwheelie spotlight: David Daudelin, Senior Front End Engineer

Pinwheelie spotlight: David Daudelin, Senior Front End Engineer

Read more  ➔
The missing link

The missing link

Read more  ➔
Introducing Pinwheel, the API for payroll

Introducing Pinwheel, the API for payroll

Read more  ➔