CCSS Audit Process | How to Start It?

Certified CCSS Systems have been independently evaluated and audited against aspect the CryptoCurrency Security Standard. Systems that earn Level 1, Level 2, or Level 3 designations have proven they are robust, resilient, and rooted in best practices. Learn more about the CCSS and how to get your system(s) certified below.

The first step to getting audited is to select a CCSSA.


Entities then contact and negotiate with the CCSSA of their choosing. Please note that while these individuals have proven their knowledge of the CCSS, C4 does not endorse specific CCSSAs. It is imperative that entities follow best practices for selecting an auditor.

All CCSS audits cover a period of time prior to audit completion and will test the operating effectiveness of the control over this period of time. Audits are designed to be performed at least annually and cover the preceding 12 month period. All audits performed by CCSSAs are reviewed by a CCSSA-Peer Reviewer before C4 certifies an entity. Any dispute arising out of the peer review process shall be arbitrated by the CCSS Steering Committee.

The CCSSA is responsible for ensuring all data related to the audit is transmitted and stored in a secure manner for the duration of the Certificate of Compliance (CoC) and as legally required in the jurisdiction of the audit. C4 will not view documentation of evidence outside the Summary Report on Compliance (SRoC). The CCSS steering committee shall review evidentiary documentation in the case of a peer review dispute.
.
*Text version of this image can be found in the Auditor’s Guide.

What is a CryptoCurrency Security Standard Auditor (CCSSA)?


A CryptoCurrency Security Standard Auditor is an expert in the CCSS. CCSSAs are able to apply the CCSS standard to any information system that uses cryptocurrencies, calculating a grade for the system according to the CCSS.

CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.

Learn how to become a CCSSA here.

What is the cost of a CCSS audit?

Audit fees will be determined between the CCSSA and the entity. It is the responsibility of the CCSSA to ensure sufficient time to complete the audit is reflected in the agreed upon fees.

Audit fees must also include the Listing Fee and the CCSSA-PR’s fee, as determined between the CCSSA and the CCSSA-PR. The CCSSA-PR’s fee will be forwarded to the CCSSA-PR by the CCSSA. C4 will send an invoice for the Listing Fee to the CCSSA after approving the SRoC.

The listing fee, paid by the audited system’s entity to the CCSSA, is based on Table 1.

When multiple systems (up to 3) are covered in the same audit, C4 only charges the listing fee of the most expensive system. When auditing 4-6 systems, C4 only charges the listing fee of the two most expensive systems, and so on.

Systems that maintain a Certificate of Compliance without letting it lapse receive a 25% discount on the listing fee.

Can a QSP Certified to v8.1 be used for Full System v9.0 Compliance?

Yes. Read more in the Transitions Guidelines document.

The CryptoCurrency Security Standard (CCSS) has been updated to version 9.0. See the updated CCSS here.

Systems certified under 8.1 are still valid.