Payment-card security rules that keep customer credit and debit card information from falling into the wrong hands are becoming a contentious issue as debate over anticipated Payment Card Industry (PCI) standards and their impact heats up.

In addition to the dozen rules for network security that comprise today’s PCI Data Security Standard 1.1, the PCI Security Standards Council-- which represents Visa, MasterCard, American Express and Discover — anticipates expanding requirements next year that could relate to wireless use as well as Web-application security.

The Council’s general manager Bob Russo this week said the organization is devising new standards for how to design and evaluate any Web-facing business applications for credit-card processing as well as security rules for wireless.

But a final decision is still pending, he said, since there’s growing resistance to new requirements for payment-card holders, many of whom aren’t yet achieving official compliance with the existing PCI standards yet. He noted the Council doesn’t enforce PCI compliance, which is the job for the card associations with the banks.

The big concern now is that card-processing applications can be hacked and “we’re looking into the best way to handle the application security,” said Russo, adding he anticipates a decision on this in about a month. A decision to go forward may mean applications used to process credit cards would have to be evaluated and approved by a listed of certified evaluators.

One change to the PCI security rules that’s certain is the release before year-end of a new “Self-assessment Questionnaire” for PCI that merchants handling payment-card data will be expected to fill out when requested by their banks as part of the PCI compliance process.

“Today, it’s a one-size fits all but going forward we’ll have four different versions based on the merchant’s business,” said Russo. “For instance, if they’re small and just doing dial-up, there’s no need for them to answer 200 questions, we’ll just have 30 or 40 questions.”

The PCI Security Standards Council also intends to establish new PIN Entry Device (PED) requirements for equipment in an effort to combine the various equipment-security programs administered separately today by card associations MasterCard International, Visa International and JCB. Russo said by year-end, the Council’s Web site will likely detail a list of approved PED equipment.