The payment brands (e.g., Visa, Mastercard, American Express) are responsible for establishing and managing their own compliance programs that enforce the PCI Card Production and Provisioning (CPP) Security Requirements. These programs often include specific operational mandates, such as required reporting templates for card vendors. As the originators of these compliance and reporting requirements, the payment brands are the definitive authority and are therefore best-placed to provide clarification on any fields within their mandated templates.

B. The vendor: The vendor is the card production entity that fills out the report; they are the party with the query, not the one who can authoritatively answer it.

C. The issuer: While the issuer is the vendor's client, they are also subject to the payment brand's rules. They may not be the ultimate source for the template's specifications.

D. PCI SSC: The PCI Security Standards Council (SSC) develops and maintains the security standards but does not manage the individual compliance or operational reporting programs of the payment brands.

---

1. PCI Security Standards Council, PCI Card Production and Provisioning Security Requirements and Testing Procedures, Version 3.0, March 2020.

Reference: Page 8, Section "PCI Card Production and Provisioning Security Requirements Applicability".

Quote/Content: The document states, "The payment brands are individually responsible for their own compliance programs that enforce compliance with the PCI Card Production and Provisioning Security Requirements." This establishes that the brands manage the implementation and enforcement details, which include specific reporting formats.

2. PCI Security Standards Council, PCI Card Production and Provisioning Logical Security Requirements and Testing Procedures, Version 3.0, March 2020.

Reference: Page 7, Section "Roles and Responsibilities".

Quote/Content: This section defines the "Payment Brand" as the entity that "Establishes and manages its own security and compliance programs." This role explicitly includes defining the program-specific requirements that vendors, issuers, and assessors must follow, which would encompass reporting templates.