If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?

You can, they didn't; big difference.