CCSS uses system designations to describe how a system is structured in relation to key material management and responsibility. They help clarify whether a system holds its own keys, provides services to other systems, or relies on other systems as part of its design.
The system designations are as follows:
Systems that hold all keys to the system that controls the entity’s own funds.
A CCSS Qualified Service Provider (QSP) is a system that meets many of the requirements for CCSS certification with the exception of the few requirements that another system has control over. A QSP is a system that facilitates a subset of custody services to other systems and therefore is only required to meet certain requirements. This means that if a system uses a QSP, the audit focus is only on the few remaining requirements to become certified.
An information system that meets all applicable CCSS requirements in totality. In situations where an information system utilizes a CCSS certified Qualified Service Provider (QSP) information system (e.g. a wallet infrastructure provider’s wallet software) as part of their information system, some CCSS requirements may be met by the QSP information system, as determined by the CCSSA conducting the CCSS audit.
A CCSS Implementer (CCSSI) is focused on building and improving the system. They look at how key management is set up, where the gaps are, and what needs to change to meet CCSS requirements. That includes designing controls, putting processes in place, and making sure there’s enough documentation and evidence to support it. CCSSIs may be internal to an organization or brought in externally to support the implementation. In some cases, they are engaged to support the full implementation across all controls. In others, they may be brought in to assist with specific areas depending on the needs of the system.
A CCSS Auditor (CCSSA) determines the CCSS Trusted Environment and audits the system. They come in independently, review what’s in place, test how it works, and determine whether the requirements are actually met. CCCSSAs also perform peer reviews. In this case, a separate CCSSA Peer Reviewer (CCSSA-PR) reviews the redacted Report on Compliance to confirm the audit was done correctly, the evidence supports the conclusions, and the Standard was applied consistently.
For a list of certified professionals, please see our website:
Find an Implementer
Find an Auditor
Become an Implementer
Become an Auditor