What Is the CryptoCurrency Security Standard (CCSS)?

Cryptocurrency has been gaining a lot more attention over the last couple of years, and several national governments are even adopting crypto. As more people are wading into these new waters, they have often been flying by the seat of their pants and doing what they think is best. That leads to variable degrees of implementation of security protocols across the various platforms.

In other words, things are ripe for criminals to steal cryptocurrency. And not just ripe. Cryptocurrency exchanges like Crypto.com and blockchain platforms like Ronin have been victims of high-profile security breaches. These kinds of security issues are increasing in the crypto industry, making the need for CCSS compliance coupled with greater security measures overall, more critical than ever.

That’s why the CryptoCurrency Certification Consortium (C4) established the CryptoCurrency Security Standard (CCSS), a set of requirements for entities that make use of cryptocurrencies.

What Is CCSS?

First introduced in 2015, the CryptoCurrency Security Standard is a set of requirements for all information systems that make use of cryptocurrencies — including exchanges, web applications, and cryptocurrency storage solutions. CCSS is intended to provide a standardized methodology so that organizations have something they can go up against.

CCSS isn’t meant to be a standalone security standard, but one that’s complementary to other existing standards, such as ISO 27001, SOC 2, or PCI DSS. Organizations should take a well-rounded approach to security and compliance, and CCSS is the piece within the larger puzzle that specifically addresses critical elements of the cryptocurrency security arena.

CCSS helps ensure that organizations are appropriately handling the security of the storage of the cryptocurrency itself. It is designed for organizations that generate their own cryptocurrency, exchange crypto for other forms of currency, and provide web applications for accessing crypto funds — basically, the crypto equivalent of the Federal Reserve, currency exchanges, and banks.

Featured eBook

The Rock Solid Business Case for Compliance Management Software

Discover How to Get a “Yes” from CFOs That Love to Say “No”

How Is CCSS Structured?

CCSS has a total of 52 requirements, spanning ten aspects of crypto security. The ten aspects are segmented into two domains: Cryptographic Asset Management and CryptoCurrency Operations.

Cryptographic Asset Management

This first section comprises 75 percent of the standard. It covers elements of key handling, wallet generation, key storage, key usage, key compromises, and granting/revoking keys. In the crypto arena, the way that you handle the exchange of those keys and the security around them is unimaginably important.

  1. Key and Seed Generation — A seed is essentially a username and password that gives a user access to their cryptocurrency wallet. Seeds are used to create keys for signing transactions and generating the addresses where crypto funds are stored.
  2. Wallet Creation — In crypto, you have a digital wallet that functions in the same way as a physical wallet. This aspect of CCSS regulates the creation of a crypto wallet and the addresses that are used in crypto transactions.
  3. Key Storage — This aspect addresses how to securely store private keys and seeds when they’re not being used.
  4. Key Usage — This aspect ensures that all keys and seeds are used in a secure manner, maximizing the confidentiality of private keys and ensuring the integrity of all cryptocurrency funds.
  5. Key Compromise Protocol — This protocol determines the proper procedure your organization will follow if keys or seeds are compromised.
  6. Keyholder Access Procedures — These are policies and procedures for granting and revoking user access to keys and seeds.

Cryptocurrency Operations

This section covers the other 25 percent of the standard. It addresses security testing, data sanitation, proof of reserve audits, and audit logs.

7. Security Audits — You must undergo third-party reviews of your security systems, technical controls, and policies. This includes penetration testing and vulnerability scans.

8. Data Sanitation — From time to time, you’ll need to remove cryptographic keys from your systems, as a matter of keeping your data up to date. This aspect addresses how to do that securely.

9. Proof of Reserve — Just as banks need funds in reserve, so do cryptocurrency exchanges and wallets. This aspect requires that cryptocurrency companies be able to show proof of control of all reserve funds in their systems.
10. Audit Logs — You must maintain audit logs of system activity and user activity, with a secure record of all logs for at least a year.

Security Levels of CCSS

Organizations that go up against the standard can achieve one of three levels of security. Each level must pass an Assessor’s audit.

Level 1 — The information system protects its assets with strong levels of security that meet industry guidelines.

Level 2 — The organization exceeds strong levels of security by using enhanced controls in addition to industry guidelines. This includes the use of decentralized security technologies and redundancy.

Level 3 — The information system exceeds enhanced levels of security by implementing formalized policies and procedures. These policies and procedures are enforced at every step within their business processes. Advanced authentication mechanisms ensure the transparency and authenticity of cryptocurrency data at all times. Digital assets are handled and stored in a way that ensures resiliency if an attack occurs.

Getting Certified Under CCSS

To be certified as compliant under CCSS, you need to undergo an annual audit by a certified CCSS Auditor. You can find a list of Auditors on the C4 website. We recommend finding a good Auditor you feel comfortable with and trust. From there, get on the same page about what the Auditor will expect of you and how to best work with them.

You’ll make your compliance experience much less chaotic and much more streamlined if you use a compliance management system to organize your engagement. CCSS is one of dozens of standards available on TCT Portal.

TCT Portal can help you manage every type of compliance standard your organization needs to fulfill, and you can easily manage multiple standards simultaneously. Since the CCSS is intended to be used in conjunction with other industry standard certifications, this means you can take advantage of the multiple certification capabilities with live linked mappings to save time on your engagement.

Don’t Wait to Get Started with CCSS

Cryptocurrency is a realm that relies heavily on trust. If that trust is broken, it could stifle adoption and cause people to bail out. When you’re charged with protecting people’s funds, it’s critical to take that responsibility seriously.

I can’t overstate how important it is to do everything you can to ensure the security of your cryptocurrency platform, on behalf of your customers. Because of the nature of cryptocurrency and the increasing security breaches in the space, it’s incumbent upon every organization in the crypto world to provide an arena where people feel comfortable adopting the platforms.

TCT proves compliance doesn't have to suck.

Check out the TCT podcast:

Listen Now