Do You Need to be PCI and PABP Certified?

PCI Lock

Not every company who needs to be PCI certified even knows of the requirement. However, if you handle credit card storage or transactions in your applications/e-commerce then you are required to be PCI certified.

If you are a software vendor, and selling software to enable credit card functionality you need an additional certification called PABP. I’ll talk a bit about these two certifications and tell you a little bit about the process of becoming PCI certified; why it’s good, and what completely sucks about it!

What is PCI?

PCI, or Payment Card Industry is a required certification for all critical points of credit card storage and transmission. It is the result of the major credit card companies to develop a standard in security, specifically concerning electronic transactions (E-Commerce).

VISA has an additional certification called CISP (Cardholder Information Security Program) which follows the PCI Data Security Standard.

What’s the Worst that Could Happen?

From the customer’s point of view, their information is hijacked and several credit card charges are ran up, possible identity theft, and several other invasive and frustrating repercussions.

From the vendor’s point of view, you can lose customers, bad publicity… oh, and monstrous fines per credit card exposed in the infraction.

Becoming PCI Compliant

Becoming PCI Compliant really depends on where you are now, what type of business you do, and under what classification you fall into. I would recommend consulting a PCI auditing company to assess your business. This auditing company will most likely also provide you a track for becoming PCI compliant and will actually perform the audit which you will need to pass to gain certification. This is not cheap! The cost of the audit is determined primarily on the size of your operation; that includes the software created from your side, the networking environment it is housed in, and the number of transactions you deal with.

From my experience with PCI certification, the vast majority of the requirements centered around physical and network security. Software security and storage was important as well of course, but most of the heavy lifting falls onto network administrators. If you have a datacenter, this will be where most of your work falls to; as well as possible a large portion of money for additional physical security devices if you do not already have them.

As far as software goes, the majority of requirements fall under qualified encryption of credit card data, encryption of encryption keys (DEK/KEK, as outlined in the PCI requirements), monitoring/logging of access to credit card systems, and specific credit card data, as well as much more.

Please see below (at the end of this post) to access a short list of resources to help you in learning more about PCI/PABP compliance and certification.

Why It Can Suck?

Well, inherently it’s a very good thing. Credit card and identity security is extremely important and has been taken too lightly during its’ infancy. That doesn’t mean the process isn’t an extreme pain to go through. PCI implementations can and usually do take several months for existing systems; but again this all depends on the size of the implementation.

Major issues from the software development side is that it adds a layer of complexity for the end-user’s of credit card systems; by end-user, I don’t mean people purchasing product, but instead those people who need to manage orders, develop reports, etc. If the system has access to credit card data, they need to be restricted in activity, time constraints (based on activity), the use of strong passwords (this can be a huge pain for users), and much more. Additionally, all data that is credit card specific must be housed in a separate server in an extremely isolated method. This means very limited access to that server (db) after it is set up and slows development/debugging down extremely. Simple retrieval of that isolated data become a much greater task because it can not readily be joined to normal user data that may be housed in your do-everything-else database(s).

From a purely non-technical perspective, PCI certification adds a barrier to entry for software developers who may want to work with credit card transactions but do not feel comfortable putting out the money, and effort, of becoming PCI certified. This limitation has the potential to stunt the growth of many e-commerce platforms.

Additional Resources

PCI Security Standards Council:

VISA CISP Program:|/merchants/risk_management/cisp_tools_faq.html|Cardholder%20Information%20Security%20Program

Security Metrics (PCI Auditors):

UrlRewriting with UrlRewritingNet.UrlRewriting (Supertroopers – meow)

The title of this post/article probably doesn’t make sense to most people. In my head I was trying to come up with a title and nearly every word was UrlRewriting; it got me thinking of the scene in Supertroopers where they see how many times they can say meow while they pull someone over.

Ok, enough of that train of thought – what we want to get to is how to do UrlRewriting, which is of course, how to convert url’s such as to”meow”). But wait! That URL is much longer and still ambiguous, why would I want to do this?

There are really two main advantages. First, it’s slightly easier to bookmark and recall because it is more text based rather than numeric, but the primary reason is because of search engine visibility. Search engine results are a bit better when the actual name of the webpage relates to the content found on the page; similar to the title of the page matching keywords for the page content.

What We Need

To get started, there are several ways to use UrlRewriting; you can write your own rewriting engine, you can use MVC (includes a routing engine, see article from Scott Guthrie), or you can use one of the prewritten UrlRewriting components that are already out there and have been time-tested. I picked up one several years ago which I use for many of my projects that require UrlRewriting which will be what I use to demo for this posting. You can find it at the following address (

Barebones Setup

I’m sure there are detailed directions in the installation packet that you download, but here is a quick step-by-step for barebones installation:

  1. Reference the UrlRewritingNet.UrlRewrite.dll in your project.
  2. Add the following in your webconfig file in the “<configSections></configSections>”:

    <section name="urlrewritingnet" requirePermission="false" type="UrlRewritingNet.Configuration.UrlRewriteSection, UrlRewritingNet.UrlRewriter" />
  3. Add the following in your webconfig file in the “<configuration></configuration>”:

    Note: A sample rule is included which I will explain how to modify and create your own rules for UrlRewriting.

        defaultPage = "default.aspx"
        xmlns="" >
    		<add name="blogpost" virtualUrl="^~/([0-9]+)-(.*)"            
    		   ignoreCase="true" />

  4. Add the following in your webconfig file in the “<httpModules></httpModules>”:

    <add name="UrlRewriteModule" type="UrlRewritingNet.Web.UrlRewriteModule, UrlRewritingNet.UrlRewriter" />

Now We’re Set, How Do You Use It?

The UrlRewriting engine looks for a URL that matches regular expression based rules you define in the webconfig. It then matches the parameters and reforms them into the destination URL in the specified format.

All you have to do is use links throughout your pages that match the virtual URL rule you specified.


<a href="">View Article</a>

This URL doesn’t actually exist, but the UrlRewriting engine reads it and redirects to the appropriate URL (

Creating Your Own Rules

To really get good at this, you need to be a little familiar with regular expressions. I’ll be honest, I never remember off the top of my head regular expressions so I tend to Google a primer on it whenever I sit down and work with these (or lookup old examples for basic pattern matching).

You may want to do the same, click here to start searching!

Remember, the virtualUrl is the address that you will type into your links, it’s also what the user will see in the address bar. The destinationUrl is where the real page lies. You can use $ and then the corresponding number (in order of regular expression combinations) to retrieve the value the regular expression is matching. In my case, I’m getting the blogid which i’ve placed as the prefix to the post/article title.

Good luck with UrlRewriting and play around a bit to discover some of the benefits of using UrlRewriting.

Note: Be sure to be careful when using /, slashing characters in your url’s, this does denote you are in a directory higher/lower than you actually may be; so images or other references may break if using relative paths.

Non-Web Referenced Webservices in VB.NET

Webservices are extremely common in modern day web-based development. Especially with the emergence of AJAX and mashup-style development. You can call webservices in a variety of ways, a few include:

  • Javascript and AJAX Script Manager (see A Recipe for AJAX Webservices)
  • Web References (by adding a project web reference through Visual Studio)
  • Ad-hoc (through server-side code, and will be the content for this article)

Ad-hoc Webservices

There are always instances where you want to use differing methods for producing the same results. In this case, we want to be able to access data from a webservice in a server-side environment and possibly perform some actions upon the data that exceed the realm of javascript or similar clientside scripting language.

Weather Webservice Example

For the purpose of demonstration, I’m going to use a random webservice I had in some old code that retrieves the weather conditions for a specific geographical area (city/country). (hopefully, at the time you read this the webservice is still active and free).

The url for the webservice ASMX is the following:

HTML Display for the Results

We need to display the result that the webservice returns, we’ll do this in a very simple way:

Weather Condition: <asp:Label ID="lblWeatherCondition" runat="server"></asp:Label>

Time to Wire Up the Webservice Code

This is one way to wire up this webservice. There are other ways as well, please feel free to leave comments on additional improvements to this method.

Note: The data returned by this webservice appears to wrap data returned from another webservice (probably not the best example to use, but this happens in the real world). So I’m actually doing a little extra digging by adding a second XMLDocument that references the XML we care about.

Private Sub getWeatherService()
    'Get Webservice URL (Add parameters based on city/country)
    Dim strURL As String = String.Format("{0}&CountryName={1}", "New York", "United States")

    'Create original XML document (this could also be an xmltextreader) - usually this is end of step, but this webservice is crap and needs two
    Dim XMLDoc As New XmlDocument()

    'Get true XML for webservice we care about
    Dim strXML As String = XMLDoc.ChildNodes(1).ChildNodes(0).InnerText

    'Load new XML document with appropriate XML content
    XMLDoc = New XmlDocument()

    'Pull out XML inner text (should be value, but spaces inappropriately exist) - uses XPATH
    Dim strWeatherCondition As String = XMLDoc.SelectSingleNode("/CurrentWeather/SkyConditions").InnerText

    'Assign value to label - duh.
    lblWeatherCondition.Text = strWeatherCondition
End Sub

You can now place this webservice call wherever you need to trigger the event.


Demonstrations and articles often stop well short of real-world application. Please feel free to take this example and build on it to do several other actions after receiving the data. For example, you could:

  • …use the value to display a corresponding image for the weather to graphical represent the data.
  • …use the value to pass into more detailed information to return historical data for similar conditioned days, or more detailed information such as barometric pressure, rainfall expectations, etc.
  • …use the value to redirect the user to different areas of the website or change graphical themes by replacing CSS files or switching Themes in .NET.
  • …use the value to do whatever your creative mind comes up with.

Please leave me comments on some of the additional applications you come up with; have working examples, leave the link so we can all check them out!

Feed the Soul – A Few Technology RSS Feeds

Technology RSS Feeds

Here are a few of the technology feeds that I subscribe to. I try and hit a mixture of technical articles as well as business and conceptual information.

Please leave comments for additional technology rss feeds you may have! Even non-IT feeds are appreciated. You never know when you’re going to put two ideas together and make something great.

In a later post, I’ll put additional RSS Feeds that I use (business, science, sports, food, etc.)

Plagiarizing Myself About Entry Level Experience

ASP.NET Forums

Not too far back I was perusing the ASP.NET Forums and I came upon a question I thought I would like to answer. I took a bit more time than usual trying to answer this question and it received pretty good feedback so I thought I would add it to my blog.

The Question on ASP.NET Forums


In lots of job search sites relating to .net web developer,the company often asks candidate with atleast 1 year experience in the field. But i want to know exactly what sort of experience do i need to gain inorder to get into the web developement companies? Since i am a new to this field.i have relatively no experiece. But i want to know what should i focus and practice on web development so that i can say i have a experiece on .net. Do i need to have bits of knowledge in every part of web development using .net or should it be better if i practice more on particular areas in .net? secondly what are the areas i can work on if i learn .net(web developement)? thanks.


The Response, For Better or Worse

Funny I’ve stumbled upon this question on my first trip to the forums; it’s something I had recently been concerned about. I am a lead developer in my company and involved in many job interviews for potential candidates, most of which are entry-level developers, and i’ve noticed that most, if not all, are surprisingly under-qualified. Perhaps this is a matter of expectation or perhaps university educational courses lag behind the exponentially increasing speed of new technology; but regardless, the problem exists. I believe it’s extremely unfortunate to be a recent graduate with all of the expectation in the world to succeed out of the gate, and yet, not be properly prepared for entry-level web development.

It’s also an issue regarding the industry, because with the amazingly broad skill levels for the same job description of “web developer”, it’s hard to tell whether you’re entry level, intermediate, or advanced. Personally, every time I think I’ve achieved an advanced level, I quickly learn more and discover how deep the questions, issues, and skills really go and realize my own shortcomings.

Well, enough prefacing; to answer your question, I believe you need to determine what type of company you would like to work for first. Large or small/med? Generally speaking, a large company will have a much stronger division in duties, they may require certification or simply a related degree, are often harder to first land a job with, but you generally have less responsibility and duties once you land it. A small/midsize company generally requires you to wear several hats, you may act as a programmer as well as a database adminstrator; you may work with clients directly on some projects, or work under a project manager, and you generally will learn several skillsets (including both business and development) and be required to produce much more actual work as opposed to “passing it down the line”.

I recommend you begin in a small/midsize company so you can learn as much as possible (jump right in) while gaining realworld experience to boost your resume for those bigger companies. To do this, you should learn the following technologies to a point where you can sit down and write most basic apps without having to reference Google (or MSN – sorry, Microsoft) for every other line.

  • SQL – extremely important that you know the basic commands of SQL (SELECT, INSERT, UPDATE; as well as JOINS, SPROCS, and Views, and how aggregate functions like SUM, MAX, COUNT, etc work.)
  • HTML – you can’t do your job if you don’t know HTML inside and out. You should never need to look up how to use a DIV tag, or how to position elements on a page. If you are using purely table-based designs for HTML, you probably are a little too green and need to study up.
  • CSS – at this point, CSS is really part of HTML. Just consider CSS as HTML Chapter 2.
  • Photoshop/Fireworks/etc. – You don’t need to be a graphic designer/artist to be a web developer, but you should take note that regardless of how good your code is, nine out of ten times, all non-technical people understand is how it looks.
  • ASP.NET (I recommend starting in, it’s generally easier to pick up as a first language if you’re inexperienced and you should know how to work with controls/form elements such as textboxes, dropdownlists, etc. including reading values from them and also connecting to a database, retrieving some information, and binding to a control).

You’ll notice that I didn’t put Javascript, XML, or several other fairly basic technologies on there; these are all important as well, but things I believe for the amount of use in entry level programming, you can learn on the job or after you’re hired.

Two final notes: Stay out of dreamweaver, use Visual Studio (it’s much more strict regarding code practices (html) out of the box), and DO NOT USE drag-and-drop to begin learning code. Drag and drop programming is fast but it does too much for you, especially when you don’t fully understand what is going on behind the scenes. Write the code to connect to a database, get the data into a datatable and bind it to a dropdownlist without using the WYSIWYG (or whatever you want the app to do, but do it via codebehind), in my opinion, apps written this way are easier to debug.

Sorry for the length, but hopefully it’s good information for someone.

A Recipe for AJAX Webservices

This is a fun and useful concept that is actually really very easy to implement. The recipe calls for two cups webservice, an ounce of AJAX ScriptManager, finished with a dash of javascript.

Note: Begin with an AJAX Enabled Website!

Let’s Start With the Webservice

Obviously, to work with AJAX Webservices you need to start with a webservice. You can use any webservice that you like depending on the application; for the purpose of this demonstration our objective will be to retrieve a list of employees and their job application (sort of).

Instead of working with SQL to retrieve the data, I am going to simulate this process and then write everything into XML format to make it easier to work with in javascript. Under normal conditions, I would be retrieving information from a database, otherwise the webservice would be a bit pointless.

Below is the pseudo-code to setup our mock webservice:

<WebMethod()> _
    Public Function getData() As String
        Dim dt As New DataTable
        Dim dr As DataRow
        Dim dc As DataColumn

        dc = New DataColumn
        dc.ColumnName = "Name"
        dc.DataType = GetType(String)

        dc = New DataColumn
        dc.ColumnName = "Occupation"
        dc.DataType = GetType(String)

        dr = dt.NewRow()
        dr("Name") = "Nicholas B"
        dr("Occupation") = "Computer Geek"

        dr = dt.NewRow()
        dr("Name") = "Logan B"
        dr("Occupation") = "Jon-boat Captain"

        dr = dt.NewRow()
        dr("Name") = "Ben G"
        dr("Occupation") = "Aspiring Computer Geek"

        dr = dt.NewRow()
        dr("Name") = "David M"
        dr("Occupation") = "Pool Shark"

        dr = dt.NewRow()
        dr("Name") = "Eric V"
        dr("Occupation") = "Inventory Terminator"

        Return getDataXML(dt)
    End Function
    Public Function getDataXML(ByVal dt As DataTable) As String
            If dt.Rows.Count > 0 Then
                Dim sb As New StringBuilder
                sb.Append("<?xml version=""1.0"" encoding=""iso-8859-1""?>")

                Dim array(dt.Rows.Count - 1) As Double
                For i As Integer = 0 To dt.Rows.Count - 1
                    sb.Append("<name>" & dt.Rows(i).Item("Name") & "</name>")
                    sb.Append("<occupation>" & dt.Rows(i).Item("Occupation") & "</occupation>")


                Return sb.ToString()
                Return Nothing
            End If
        Catch ex As Exception
            Return Nothing
        End Try
    End Function

The getDataXML() function is just to help move the datatable format into XML in the schema that I want for this demo. The key here is that you have a webservice and it is doing something (in this case returning a list of employees in XML format).

A Secret Ingredient

There is one last secret ingredient that needs to go into your webservice. You need the following line above your webservice class declaration:

<System.Web.Script.Services.ScriptService()> _

This line enables the webservice to be called from javascript and is required.

A Bit of AJAX Script Manager

Next we need to register the script manager and script manager proxy. Take a look at the following code, which goes in the HTML:

<asp:ScriptManager ID="ScriptManager1" runat="server" />
    <asp:ScriptManagerProxy id="ScriptManagerProxy1" runat="server">
        <asp:ServiceReference Path="~/webservice_demo.asmx" />
        <asp:ScriptReference Path="~/javascript_demo.js" />
    <input type="button" value="Get Data" onclick="getDataJS();" />

<div id=”crew”> </div>

“~/webservice_demo.asmx” is the location of my webservice file and ~/javascript_demo.js” is the location of my external javascript file (which we haven’t covered yet).

The input button is just going to be our trigger to execute the AJAX webservice call; this could be any event-based trigger. The div tag (crew) is just a container to hold our results when they are returned.

Our Dash of Javascript (Maybe a Bit More than a Dash)

//Get all locations from webservice getLocationInfoByUser()
function getDataJS() {
    var ret = webservice_demo.getData(getDataJS_Complete, onError, onTimeout);
    return true;

function getDataJS_Complete(arg) {
    // code for IE
    if (window.ActiveXObject) {
        var doc=new ActiveXObject("Microsoft.XMLDOM");
    // code for Mozilla, Firefox, Opera, etc.
    else {
        var parser=new DOMParser();
        var doc=parser.parseFromString(arg,"text/xml");
    // documentElement always represents the root node
    var x=doc.documentElement;
    var htmlstring = "";
    for(i=0;i<x.childNodes.length;i++) {
        var name = x.childNodes[i].childNodes[0].childNodes[0].nodeValue;
        var occupation = x.childNodes[i].childNodes[1].childNodes[0].nodeValue;
        htmlstring += "<p>" + name + " " + "(" + occupation + ")</p>";
    document.getElementById("crew").innerHTML = htmlstring;

function onError(arg) {

function onTimeout(arg) {

Let’s walk through the javascript a bit. First, getDataJS() is being called from our button onclick event. It simply calls our proxy webservice. Notice, our webservice doesn’t have the additiona onComplete, onError, onTimeout parameters. These parameters were added by the proxy as all webservices being called through the AJAX Script Manager needs to account for errors, timeouts, and successes.

The next function, getDataJS_Complete() gets executed if a sucessful call to the webservice is made. The code that we added loops through the XML and builds a simple listing of the results returned. It then passes those results into a div we had on the page.

We’ve taken a pretty cheap way out of the error and timeout handling. You can get creative with what happens upon errors; this is pretty standard just to show there was a timeout or there was an error with the webservice.

Bon Apetit

So, without a whole lot of pain we’ve created an AJAX webservice that we can call in our webpages. Hope this helps!