Between July 2021 and July 2022, the average number of APIs per organization increased by 82%, from 89 to over 162. However, malicious API attack traffic also grew, causing 54% of companies to hit the brakes on rolling out new apps due to security concerns.
As a payroll data connectivity API provider, Pinwheel is well aware of the risks that come with poor data security. Financial service providers rely on payroll data for important processes such as direct deposit switching and income and employment verification. With an API for payroll connectivity, they can automate these processes and easily access verified consumer-permissioned data.
However, exposure of this information in a data breach could lead to hacked bank accounts, identity theft, and other serious consequences.
Common attacks against APIs include SQL injections, distributed denial-of-service (DDoS) attacks, and cross-site scripting (XSS). To successfully defend their customers’ data against ever-evolving attacks, financial service providers should integrate APIs that employ an enterprise security strategy with the help of top data security engineers.
What happens when payroll security is compromised
In December 2021, workforce management company Ultimate Kronos Group (UKG) fell victim to a ransomware attack, resulting in nothing short of chaos for companies such as PepsiCo, Whole Foods, and FedEx.
Because the attack targeted software that employers use for payroll and employee time-tracking, workers across the country received paychecks that were significantly lower than expected. Meanwhile, employers had to find an alternative way to process employees’ pay. The city of Cleveland, for example, put together a “war room” to make payroll for 8,000 employees. Some companies reverted to using paper checks.
The data breach also exposed employees’ personally identifiable information, leaving them vulnerable to identity theft. In one lawsuit against UKG, an employee of a company using UKG solutions claims he was notified by his credit card company that his Social Security number had been found on the dark web. After the data breach, the employee was targeted by spam calls and emails. The lawsuit also reports that the banking information of some PepsiCo employees was allegedly hacked after the breach.
With these consequences in mind, banks and fintechs must do everything in their power to avoid and prevent data breaches. “Security incidents can lead to reputational damage for financial service providers and a loss of customers who no longer trust the organization or its partners. This is often the case when sensitive customer data is exposed, which can create identity theft risks to consumers,” explains Jeff Hudesman, Chief Security Information Officer (CISO) at Pinwheel.
Must-have security features for payroll data connectivity APIs
Accessing payroll data with an API is much safer than relying on emails and manual PDF uploads. But APIs still require an advanced security strategy. When consumers use a payroll data connectivity API to update their direct deposit settings or grant a lender access to their income data, they do so with the trust that their information won’t get into the wrong hands. Therefore, financial service providers must implement APIs with robust security measures, starting with access control.
Broken access control is the number-one web application security risk, allowing unauthorized users to access information or take action they shouldn’t be able to do. Pinwheel uses the OAuth2 framework to secure access control across different scenarios. With OAuth2, an app can access data hosted by another app on a user’s behalf without exposing their credentials.
Encryption is also essential for APIs that exchange sensitive user information. More specifically, API providers should secure data using Transport Layer Security (TLS), an encryption protocol that safeguards apps from data breaches. Pinwheel, for example, implements both TLS and the Advanced Encryption Standard (AES 256). AES was originally developed for the U.S. government and was approved by the National Security Agency to protect highly sensitive intelligence. We also implement encryption when the data is in transport and at rest.
Alongside encryption, APIs should undergo independent security assessments. On a yearly basis, Pinwheel hires independent third-party security experts to provide an in-depth assessment of our data security, including a code analysis and a detailed security review.
Twice a year, Pinwheel also conducts penetration testing of our systems to test for exploits, such as access controls, XSS, cross-site request forgery (CSRF), and SQL injection. “Penetration testing refers to the process of methodically hacking into your system and network to identify and expose as many vulnerabilities as you possibly can, from multiple vantage points. Ethical hackers and security researchers perform these tests with our full knowledge and authorization. This enables us to find security issues and quickly remediate them,” explains Pinwheel’s CISO.
Financial service providers that plan on integrating an API should also closely examine the security certifications of the vendor. The benefits of certification include:
- Defined responsibilities and business processes for information security
- A culture of information security and diligence
- Reduced security incidents through implemented controls specific to the API’s unique risks and assets
- Meeting additional security compliance requirements
The ISO 27001 certification, for instance, ensures API providers follow best practices related to information security and are prepared to handle any threats. A SOC 2 Type II report is another certification to take note of; it audits an organization’s security controls over a period of at least six months.
Partner with the only API provider in the industry with a CISO
Information security is a marathon, not a sprint. It’s not a job that is ever finished, and any strategy that protects consumer data should constantly evolve to address and stay ahead of security threats. That’s why Pinwheel has a CISO at the helm of our security strategy.
As the only API in the payroll connectivity space with a CISO, we are best prepared to maintain a secure system and address any potential risks to consumer data in the future. From using bank-level encryption protocols to monitoring our systems 24/7, fintechs and financial institutions can rest assured that their customers’ information is safe.
Contact us to learn more about Pinwheel’s dedication to information security and discover our solutions across direct deposit switching, income verification, and more.