Cryptocurrency Security Standard (CCSS)

Why Trust Techopedia

What is the Cryptocurrency Security Standard (CCSS)?

The Cryptocurrency Security Standard (CCSS) is a security framework that provides guidelines and best practices for protecting cryptocurrency assets and operations from external cybersecurity attacks and internal fraud.


The framework, which was developed by the CryptoCurrency Certification Consortium (C4), is meant to complement traditional information and communication technology (ICT) security frameworks such as ISO 27001 and  PCI DSS.

According to the official website, the CCSS framework is a living document that is updated regularly by the C4 Steering Committee to reflect new security threats and best practices. The framework’s security controls cover two primary domains: cryptocurrency asset management and cryptocurrency operations.

Asset Management:

This domain focuses on securing and managing the cryptographic keys that control access to a user’s cryptocurrency funds. It provides guidelines and best practices for implementing security controls that address:

  • Cryptographic key/seed generation and storage.
  • Cryptographic transactions.
  • Crypto wallet creation and storage.


This domain focuses on how transactions are created, signed, and broadcast to the network, how cryptocurrency systems are updated, and how security incidents are identified and dealt with. It provides guidelines and best practices for implementing security controls that address:

Cryptocurrency Security Standard Certifications

The CCSS framework is open source and free for anyone to use, but C4 does offer an opt-in certification that allows well-established or new cryptocurrency projects or business owners to publicly share their commitment to implementing robust security practices and protocols.

To ensure a broad range of security coverage, the CCSS provides three levels of certification for information systems. Project and business managers can seek the certification level that is most closely aligned with the value of the digital assets their systems handle, the system’s operational complexity, and the associated risk profile.

Level I Certification: An information system that achieves Level I certification has demonstrated through an audit that they have implemented a comprehensive set of security controls, have a process for managing cyberthreats and other security risks, and have a process for responding to security incidents. This foundational level ensures that an information system meets all the essential security standards required to support a cryptocurrency project.

Level II Certification: An information system that achieves Level II certification has demonstrated through an audit that they have implemented a comprehensive set of security controls that meet or exceed the requirements of CCSS Level I by including enhanced security measures designed specifically for decentralized systems. Systems that are compliant with CCSS Level 2 or higher, are more likely to withstand cyberattacks that give bad actors access to the cryptographic components and mechanisms that underpin cryptocurrencies.

Level III Certification: This advanced certification builds upon the requirements for Levels I and II by incorporating more stringent security controls, advanced risk management practices, regular security audits, and continuous monitoring. An information system that achieves Level III security provides protection from both known and emerging crypto threats by using enhanced security controls that address the unique requirements of decentralized, geographically distributed cryptographic systems.

CCSS Adoption

The CCSS framework is a valuable resource for cryptocurrency risk management and anyone involved in the development or use of cryptocurrency systems, products, and services. Framework adoption is being promoted as a way to help reduce the risk of theft and fraud, increase user confidence, and help make regulatory compliance initiatives more transparent.

According to Deloitte, however, even though the CCSS has been around for almost ten years, very few projects are claiming adherence with the framework. During a review of high profile cryptocurrency breaches, the accounting firm found that every system that suffered a  breach was non-compliant with CCSS Level 1.

Currently, only two entities are listed on the official website as having received Level III certifications: Fireblocks Limited and Liminal. Fireblocks is an enterprise-grade infrastructure-as-a-service (IaaS) platform for moving, storing, and issuing digital assets. Liminal is a digital wallet and storage-as-a-service provider whose services are designed to support Web3.

CCSS Audits

A CCSS audit evaluates the people, processes and technology that support cryptocurrency functions. When an assessed entity’s systems are audited, the auditor (known as a CCSSA) will review the entity’s compliance level for each aspect below:

CCSS Auditors

Cryptocurrency Security Standard auditors must pass an exam that demonstrates their working knowledge for each security concern above.

The CCSS auditor exam fee is $500 USD and the exam is only given in English. It includes 100 multiple-choice and true/false questions that must be answered in 90 minutes or less. A passing grade of 70% is required to apply for certification.

The certification fee itself is $1000 USD. Both the exam and certification fees must be paid for in Bitcoin or another acceptable cryptocurrency.


Related Questions

Related Terms

Margaret Rouse
Senior Editor
Margaret Rouse
Senior Editor

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.