Payment Card Industry

Data Security Standard

Attestation of Compliance for Report

on Compliance – Service Providers
Version 4.0

Revision 1
Publication Date: December 2022
PCI DSS v4.0 Attestation of Compliance for Report on
Compliance – Service Providers

Entity Name: NxtGen Datacenter and Cloud Technologies Private Limited

Assessment End Date: 11-09-2024

Date of Report as noted in the Report on Compliance: 13-09-2024

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page i
Section 1 Assessment Information
Instructions for Submission
This Attestation of Compliance (AOC) must be completed as a declaration of the results of the service provider’s
assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing
Procedures (“Assessment”). Complete all sections. The service provider is responsible for ensuring that each section
is completed by the relevant parties, as applicable. Contact the entity(ies) to which this AOC will be submitted for
reporting and submission procedures.
This AOC reflects the results documented in an associated Report on Compliance (ROC). Associated ROC sections
are noted in each AOC Part/Section below.
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS
Report on Compliance Template.

Part 1. Contact Information

Part 1a. Assessed Entity

(ROC Section 1.1)

Company name: NxtGen Datacenter and Cloud Technologies Private Limited

DBA (doing business as): Datacenter & Cloud Technology Service Provider

Company mailing address: Plot No 25-P-13, 1st Phase, Bidadi Industrial Area, Bidadi,
Ramanagar District, Bangalore, Karnataka, India (Zip - 562109)

Company main website: https://nxtgen.com/

Company contact name: Mr.Nakul OC

Company contact title: Vice President

Contact phone number: +91 9739725111

Contact e-mail address: nakul.oc@nxtgen.com

Part 1b. Assessor

(ROC Section 1.1)

Provide the following information for all assessors involved in the Assessment. If there was no assessor for a given
assessor type, enter Not Applicable.

PCI SSC Internal Security Assessor(s)

ISA name(s): NOT APPLICABLE

Qualified Security Assessor

Company name: Cybersigma Consulting Services LLP

Company mailing address: support@cybersigmacs.com

Company website: https://cybersigmacs.com

Lead Assessor name: Abhay Singh

Assessor phone number: +91 9717016127

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 1
 Assessor e-mail address: abhay@cybersigmacs.com

Assessor certificate number: 206-681

Part 2. Executive Summary

Part 2a. Scope Verification

Services that were INCLUDED in the scope of the Assessment (select all that apply):

Name of service(s) assessed: Cloud services

Type of service(s) assessed:

Hosting Provider: Managed Services: Payment Processing:

Applications / software Systems security services POI / card present
Hardware IT support Internet / e-commerce
Infrastructure / Network Physical security MOTO / Call Center
Physical space (co-location) Terminal Management System ATM
Storage Other services (specify): Other processing (specify):
Web-hosting services
Security services
3-D Secure Hosting Provider
Multi-Tenant Service Provider
Other Hosting (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services

Billing Management Loyalty Programs Records Management

Clearing and Settlement Merchant Services Tax/Government Payments

Network Provider

Others (specify):

Note: These categories are provided for assistance only and are not intended to limit or predetermine an entity’s
service description. If these categories do not apply to the assessed service, complete “Others.” If it is not clear
whether a category could apply to the assessed service, consult with the entity(ies) to which this AOC will be
submitted.

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 2
 Part 2a. Scope Verification (continued)

Services that are provided by the service provider but were NOT INCLUDED in the scope of the
Assessment (select all that apply):

Name of service(s) not assessed: Services mentioned in above section are excluded from this section.

Type of service(s) not assessed:

Hosting Provider: Managed Services: Payment Processing:

Applications / software Systems security services POI / card present
Hardware IT support Internet / e-commerce
Infrastructure / Network Physical security MOTO / Call Center
Physical space (co-location) Terminal Management System ATM
Storage Other services (specify): Other processing (specify):
Web-hosting services
Security services
3-D Secure Hosting Provider
Multi-Tenant Service Provider
Other Hosting (specify):

Account Management Fraud and Chargeback Payment Gateway/Switch

Back-Office Services Issuer Processing Prepaid Services

Billing Management Loyalty Programs Records Management

Clearing and Settlement Merchant Services Tax/Government Payments

Network Provider

Others (specify):

Provide a brief explanation why any checked services

were not included in the Assessment:

Part 2b. Description of Role with Payment Cards

(ROC Section 2.1)

Describe how the business stores, processes, and/or NxtGen Datacenter and Cloud Technologies
transmits account data. Private Limited ("Company") is in the business of
providing data center services including but not
limited to ‘data center infrastructure as a service
on a hosted and On-Premises mode and
enterprise cloud services which will be utilized by
the customer for hosting content.
NxtGen Datacenter & Cloud Technologies Pvt.
Ltd. is a service provider that offers clients infinite
data center & cloud technologies services. It

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 3
 offers a variety of clients assurance and analytical
services. During the job, agents are not able to
see the card data. NxtGen Datacenter & Cloud
Technologies Pvt. Ltd. does not download or save
data from the client's environment..

Describe how the business is otherwise involved in or As NxtGen provides only an infrastructure related
has the ability to impact the security of its customers’ services as per the scope defined, NxtGen's
account data. employees cannot see the card data in the client's
environment also they can not store and share the
data.

Describe system components that could impact the Not Applicable

security of account data.

Part 2c. Description of Payment Card Environment

Provide a high-level description of the environment covered by NxtGen uses dedicated and shared
this Assessment. infrastructure resources for operations. The
For example: covered infrastructure includes physical
• Connections into and out of the cardholder data security, to Support our client for PCI DSS
environment (CDE). compliant data center
• Critical system components within the CDE, such as POI All boundaries of the cardholder data
devices, databases, web servers, etc., and any other environment were covered.
necessary payment components, as applicable. NxtGen's locations do not store any
• System components that could impact the security of cardholder data.
account data. Network segmentation was used to reduce
the scope of the assessment and was
verified.
The boundaries between trusted and
untrusted networks were reviewed.
All wireless and wired networks were
verified.
All other connection points applicable to the
assessment were also covered as
applicable.

Indicate whether the environment includes segmentation to reduce the scope of the Yes No
Assessment.
(Refer to the “Segmentation” section of PCI DSS for guidance on segmentation)

Part 2d. In-Scope Locations/Facilities

(ROC Section 4.6)

List all types of physical locations/facilities (for example, corporate offices, data centers, call centers and mail
rooms) in scope for this Assessment.

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 4
 Total Number of
Locations
(How many locations of Location(s) of Facility
Facility Type this type are in scope) (city, country)

Example: Data centers 3 Boston, MA, USA

Registered Office 1 Plot No 25-P-13, 1st Phase, Bidadi

Industrial Area, Bidadi, Ramanagar
District, Bangalore 562109,
Karnataka, India

Corporate Office 1 Mahadevapura, No. 73/1, Summit

Tower A 4th and 5th Floor, Brigade
Metropolis, Whitefield Main
Road GarudacharPalya,
Mahadevapura, Bengaluru,
Bengaluru Urban, Karnataka, 560048,
India

Data Center 4 1. Plot No 25-P-13, 1st Phase, Bidadi

Industrial Area, Bidadi, Ramanagar
District, Bangalore 562109,
Karnataka, India
2. BSNL Ahmedabad IDC, BSNL IDC,
Bapunagar Tele. Exch. Building,
Ahmedabad - 380 024 Gujarat, India
3. BSNL Faridabad IDC, BSNL Data
Center, Faridabad - 121 003
Haryana, India
4. BSNL Mumbai IDC, BSNL IDC, 8th
Floor, Mumbai - 400 001 Maharastra,
India

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 5
 Part 2e. PCI SSC Validated Products and Solutions
(ROC Section 3.3)

Does the entity use any item identified on any PCI SSC Lists of Validated Products and Solutions*?
Yes No

Provide the following information regarding each item the entity uses from PCI SSC's Lists of Validated
Products and Solutions:

Name of PCI SSC- Version of PCI SSC Standard to PCI SSC Listing
Expiry Date of
validated Product or Product or which Product or Reference
Listing
Solution Solution Solution Was Validated Number

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

YYYY-MM-DD

* For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated
products, solutions, and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org)
(for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment
Applications (PA-DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS
(SPoC) solutions, and Contactless Payments on COTS (CPoC) solutions).

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 6
 Part 2f. Third-Party Service Providers
(ROC Section 4.4)

For the services being validated, does the entity have relationships with one or more third-
party service providers that:

• Store, process, or transmit account data on the entity’s behalf (for example, payment Yes No
gateways, payment processors, payment service providers (PSPs, and off-site storage))

• Manage system components included in the entity’s Assessment (for example, via Yes No
network security control services, anti-malware services, security incident and event
management (SIEM), contact and call centers, web-hosting companies, and IaaS, PaaS,
SaaS, and FaaS cloud providers)

• Could impact the security of the entity’s CDE (for example, vendors providing support via Yes No
remote access, and/or bespoke software developers).

If Yes:

Name of Service Provider: Description of Services Provided:

Note: Requirement 12.8 applies to all entities in this list.

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 7
 Part 2g. Summary of Assessment
(ROC Section 1.8.1)

Indicate below all responses provided within each principal PCI DSS requirement.
Requirement Finding Select If Below Method(s)
More than one response may be selected for a given Was Used
PCI DSS requirement. Indicate all responses that apply.
Requirement
In Place Not Applicable Not Tested Not in Customized Compensating
Place Approach Controls

Requirement 1:

Requirement 2:

Requirement 3:

Requirement 4:

Requirement 5:

Requirement 6:

Requirement 7:

Requirement 8:

Requirement 9:

Requirement 10:

Requirement 11:

Requirement 12:

Appendix A1:

Appendix A2:

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 8
Section 2 Report on Compliance
(ROC Sections 1.2 and 1.3.2)

Date Assessment began: 12-06-2024

Note: This is the first date that evidence was gathered, or observations were made.

Date Assessment ended: 19-09-2024

Note: This is the last date that evidence was gathered, or observations were made.

Were any requirements in the ROC unable to be met due to a legal constraint? Yes No

Were any testing activities performed remotely? Yes No

If yes, for each testing activity below, indicate whether remote assessment activities were
performed:

• Examine documentation Yes No

• Interview personnel Yes No

• Examine/observe live data Yes No

• Observe process being performed Yes No

• Observe physical environment Yes No

• Interactive testing Yes No

• Other: Yes No

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 9
Section 3 Validation and Attestation Details

Part 3. PCI DSS Validation

(ROC Section 1.7)

This AOC is based on results noted in the ROC dated (Date of Report as noted in the ROC 13-09-2024).
Indicate below whether a full or partial PCI DSS assessment was completed:
Full Assessment – All requirements have been assessed and therefore no requirements were marked as Not
Tested in the ROC.
Partial Assessment – One or more requirements have not been assessed and were therefore marked as Not
Tested in the ROC. Any requirement not assessed is noted as Not Tested in Part 2g above.

Based on the results documented in the ROC noted above, each signatory identified in any of Parts 3b-3d, as
applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (select one):

Compliant: All sections of the PCI DSS ROC are complete, and all assessed requirements are marked
as being either In Place or Not Applicable, resulting in an overall COMPLIANT rating; thereby E2E
Networks Limited has demonstrated compliance with all PCI DSS requirements except those noted as
Not Tested above.

Non-Compliant: Not all sections of the PCI DSS ROC are complete, or one or more requirements are
marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Service Provider
Company Name) has not demonstrated compliance with PCI DSS requirements.
Target Date for Compliance: YYYY-MM-DD
An entity submitting this form with a Non-Compliant status may be required to complete the Action Plan
in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before
completing Part 4.

Compliant but with Legal exception: One or more assessed requirements in the ROC are marked
as Not in Place due to a legal restriction that prevents the requirement from being met and all other
assessed requirements are marked as being either In Place or Not Applicable, resulting in an overall
COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Service Provider Company Name) has
demonstrated compliance with all PCI DSS requirements except those noted as Not Tested above or
as Not in Place due to a legal restriction.
This option requires additional review from the entity to which this AOC will be submitted.
If selected, complete the following:

Affected Requirement Details of how legal constraint prevents requirement from being met

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 10
 Part 3a. Service Provider Acknowledgement

Signatory(s) confirms:
(Select all that apply)

The ROC was completed according to PCI DSS, Version 4.0 and was completed according to the
instructions therein.

All information within the above-referenced ROC and in this attestation fairly represents the results of the
Assessment in all material respects.

PCI DSS controls will be maintained at all times, as applicable to the entity’s environment.

Part 3b. Service Provider Attestation

Signature of Service Provider Executive Officer á Date: 24-09-2024

Service Provider Executive Officer Name: Mr.Nakul OC Title: Vice President

Part 3c. Qualified Security Assessor (QSA) Acknowledgement

If a QSA was involved or assisted with this QSA performed testing procedures.
Assessment, indicate the role performed:
QSA provided other assistance.
If selected, describe all role(s) performed:

Signature of Lead QSA á Date: 24-09-2024

Lead QSA Name: Abhay SIngh

Signature of Duly Authorized Officer of QSA Company á Date: 19-09-2024

Duly Authorized Officer Name: Neha Abbad QSA Company: Cybersigma Consulting
Services

Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement

If an ISA(s) was involved or assisted with this ISA(s) performed testing procedures.
Assessment, indicate the role performed:
ISA(s) provided other assistance.
If selected, describe all role(s) performed:

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 11
 Part 4. Action Plan for Non-Compliant Requirements
Only complete Part 4 upon request of the entity to which this AOC will be submitted, and only if the Assessment
has Non-Compliant results noted in Section 3.
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for
each requirement below. For any “No” responses, include the date the entity expects to be compliant with the
requirement and provide a brief description of the actions being taken to meet the requirement.

Compliant to PCI
DSS Requirements Remediation Date and
PCI DSS Actions
Description of Requirement (Select One) (If “NO” selected for any
Requirement
Requirement)
YES NO

Install and maintain network security

1
controls

Apply secure configurations to all system

2
components

3 Protect stored account data

Protect cardholder data with strong

4 cryptography during transmission over
open, public networks

Protect all systems and networks from

5
malicious software

Develop and maintain secure systems and

6
software

Restrict access to system components and

7
cardholder data by business need to know

Identify users and authenticate access to

8
system components

9 Restrict physical access to cardholder data

Log and monitor all access to system

10
components and cardholder data

Test security systems and networks

11
regularly

Support information security with

12
organizational policies and programs

Additional PCI DSS Requirements for Multi-

Appendix A1 NA
Tenant Service Providers

Additional PCI DSS Requirements for

Appendix A2 Entities using SSL/early TLS for Card- NA
Present POS POI Terminal Connections

PCI DSS v4.0 Attestation of Compliance for Report on Compliance - Service Providers r1 December 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 12