Overview of Crypto Currency Security Standards (CCSS) and Industry Audit Options

When:  Apr 6, 2023 from 08:30 to 17:00 (VET)
Associated with  Curacao Chapter

Overview of Crypto Currency Security Standards (CCSS) and Industry Audit Options by William Santiago

CCSS is a standard for securing cryptocurrency systems. A set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions. By standardizing the techniques and methodologies used by systems around the globe, end-users will be able to easily make educated decisions about which products and services to use and with which companies they wish to align.

CCSS is designed to complement existing information security standards (i.e., ISO 27001:2013) by introducing guidance for security best practices with respect to cryptocurrencies such as Bitcoin.

CCSS is not designed to substitute or replace these standards; in fact, following the CCSS to the letter while ignoring standards like ISO 27001:2013 will likely lead to compromise.

CCSS is a cryptocurrency standard that augments standard information security practices. As with any standard, knowledgeable and experienced security professionals and/or auditors are necessary when implementing any information system to ensure coverage of all classes of attack as well as the appropriate handling of all potential risks.

There are different types of cryptocurrency systems, and an Entity can have multiple types of systems. Entities are not certified, but rather systems are certified. Systems can be certified as CCSS Level 1, 2, or 3 with increased security as the levels increase. Systems fall into 3 buckets. Self-Custody, Qualified Service Provider (QSP), and Full System.

A self-custody system has sole control of the private keys that controls that entity’s own funds. Self Custody systems do not have control over customer funds.

A CCSS Qualified Service Provider (QSP) is a system that does not meet all applicable CCSS requirements in totality because there will be some requirements that the system using the service will be either wholly or partially responsible for. Because of this, the QSP can only meet the requirements that they (1) have the ability to control, and (2) are part of the service that they provide.

A CCSS Full System is a system that meets all applicable CCSS requirements in totality. In situations where a system includes a QSP system as part of their system, some CCSS requirements may be met by the QSP system, as determined by the CCSSA.

The training contents for this 1-day session is as below. 

○ Introduction to CryptoCurrency Security Standard (CCSS)
■ Overview of CCSS
■ Importance of CCSS in the Cryptocurrency industry
■ Objectives of the course

○ CCSS Level 1: Baseline Requirements
■ Overview of C CSS Level 1
■ Importance of CryptoCurrency wallet security
■ Best practices for securing crypto assets

○ CCSS Level 2: Stronger Requirements
■ Overview of CCSS Level 2
■ Importance of multifactor authentication
■ Techniques for implementing multifactor authentication
■ Best practices for protecting private keys
● Lunch

○ CCSS Level 3: Advanced Requirements
■ Overview of CCSS Level 3
■ Importance of network security
■ Techniques for implementing network security
■ Best practices for incident response and disaster recovery

○ CCSS Implementation and Auditing
■ Overview of CCSS implementation and auditing
■ Importance of regular security audits
■ Steps for conducting a security audit
■ Best practices for maintaining CCSS compliance

○ Conclusion
■ Recap of key points from the course
■ Importance of continuing education in cryptocurrency security
■ Opportunities for further learning and advancement in cryptocurrency security


Member and non-member: Naf 150

CPE Hours:


Centrale Bank van Curacao en Sint Maarten
Simon Bolivarplein 1
Willemstad, 00000


Cai Walters