CCSS uses system designations to describe how a system is structured in relation to key material management and responsibility. They help clarify whether a system holds its own keys, provides services to other systems, or relies on other systems as part of its design.
The system designations are as follows:
Systems that hold all keys to the system that controls the entity’s own funds.
A CCSS Qualified Service Provider (QSP) is a system that meets many of the requirements for CCSS certification with the exception of the few requirements that another system has control over. A QSP is a system that facilitates a subset of custody services to other systems and therefore is only required to meet certain requirements. This means that if a system uses a QSP, the audit focus is only on the few remaining requirements to become certified.
An information system that meets all applicable CCSS requirements in totality. In situations where an information system utilizes a CCSS certified Qualified Service Provider (QSP) information system (e.g. a wallet infrastructure provider’s wallet software) as part of their information system, some CCSS requirements may be met by the QSP information system, as determined by the CCSSA conducting the CCSS audit.
An entity is the organization. A system is what gets audited.
The entity is the company, business unit, or organization that owns or operates the CCSS trusted environment. The system is the specific set of people, processes, and technology that handle key material that make up the CCSS trusted environment.
CCSS certification applies to the system, not the entity.
This means the audit focuses on how key material is managed within a defined environment, not everything the organization does. An entity may have multiple systems with different designs, controls, and risk profiles, and each one is considered separately.
The CCSS Glossary definition for key material is as follows:
The parameters used to derive or represent cryptographic keys. It includes the raw components—such as seed phrases, private keys, public keys, or key shares—that are fundamental to encryption, decryption, signing, or verifying digital information.
Click here to see the entire CCSS Glossary.