CCSS Designations: Self Custody; Qualified Service Provider (QSP); Full System (FS)

C4’s CryptoCurrency Security Standard (CCSS) is the only standard that certifies for securing cryptocurrency systems.

CCSS is a set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions. By standardizing the techniques and methodologies used by systems around the globe, CCSS ensures a balance between security and usability so that end-users can easily make educated decisions about which companies and products they wish to align.

CCSS audited systems are identified as Self Custody, Qualified Service Provider (QSP) or Full System (FS).

Self Custody

A CCSS Self Custody system controls all keys to the system that controls the entity’s own funds. Self Custody systems do not have control over customer funds.

If an entity is using a service provider as part of their cryptocurrency system, it could impact the security of systems that provide cryptocurrency functions, therefore the entity will need to be certified for a Full System certification instead of the Self Custody certification.?

As an example, if a system uses a third-party wallet provider in which the third-party participates in the key management, the system would no longer be Self Custody.

Qualified Service Provider

A CCSS Qualified Service Provider (QSP) is a system that does not meet all applicable CCSS requirements in totality because there are some requirements that the system using the QSP is either wholly or partially responsible for. Because of this, the QSP can only meet the requirements that (1) they have the ability to control, and (2) are part of the service that they provide.

An example of a QSP is a system that participates in signing a customer’s transaction by being in control of one or more of the signing keys used to sign said transaction. The customer controls the other key/s.

When customers are responsible for the other keys, the assessed entity’s system has no ability to control how they are secured at rest or when they are being used since they are within the customer's environment. Because of this, the assessed entity’s system cannot meet the requirements for controlling the signing keys in totality since some of the signing keys are outside of their control.

Full System

A CCSS Full System is a system that meets all applicable CCSS requirements in totality.?

A system that provides evidence to the CCSSA that it controls all signing keys will be audited as a CCSS Full System. Full Systems have control over customer funds.

Conclusion

If a system doesn’t meet all the requirements, then that system is either a QSP or uncertified. If a system has control of only some keys and does not meet all the requirements then it’s not a full system (and can’t be certified as a Full System), it’s a QSP. If a system controls all keys and does not meet all the requirements, it’s uncertified. If a system controls all keys to the system that controls the entity’s own funds it is Self Custody.

Don’t trust. Verify.

*Key management is a complex concept in which there are many nuances. This article provides general guidelines, however, each assessed system will require individual scrutiny by a CCSSA.

More articles about the CCSS, written by CCSSA Marc Krisjanous, can be found here: https://www.dhirubhai.net/in/marckrisjanous/recent-activity/posts/