Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands? If not, to whom does the ROC get submitted? Also, if we do not utilize a QSA, what is the easiest procedure to complete the ROC and whom should we submit it to? Is there a standard ROC template? We are currently a Level 3 merchant.