Skip to main content
Cryptocurrency Security Compliance
The CryptoCurrency Security Standard (CCSS) is a set of requirements designed to govern all information systems that store, accept or transact with cryptocurrencies like Bitcoin and Ethereum.

CCSS is created collaboratively by a group of developers, researchers and security experts with the goal of giving users a safe and secure means of handling cryptocurrencies, including Bitcoin, Ethereum, Litecoin, and many others. It is not meant to be a standalone governing document; rather, it should be used in tandem with existing best practices for information security, like ISO 27001.

CCSS addresses 10 key aspects of cryptocurrency security, including hardware and software, personnel, policies and procedures, and more. These 10 areas are used as a scoring system, with the culminating total determining an organization's overall level of security on a scale of one to three. Level I is the lowest level and offers strong security measures, while Level III is the highest and offers the most comprehensive measure of security.

Cryptocurrency Security Levels

Cryptocurrency security levels are assigned based on 10 security aspects:

  • Key/Seed Generation
  • Wallet Creation
  • Key Storage
  • Key Usage
  • Key Compromise Policy
  • Keyholder Grant/Revoke Policies and Procedures
  • Third-Party Security Audits/Pentests
  • Data Sanitization Policy
  • Proof of Reserve
  • Audit Logs
Maintain compliance standards with confidence
Contact Us Contact Us

These security levels are assigned based on the lowest common rating among all categories. So, for example, if a Level I organization meets some, but not all Level II criteria, it will retain a Level I rating until all Level II criteria are met.

The security levels are described by the CCSS Steering Committee as follows:

Security Level I

An organization or system that has achieved Level 1 security protects its information assets with strong levels of security and has proven so by audit. Using industry-standard controls, most risks to the system's information assets have been addressed. Although this is the lowest cryptocurrency security rating, it still represents a strong level of security.

Security Level 2

A Level II system uses additional enhanced controls to exceed strong levels of security. Level 2 organizations make use of decentralized security technologies like multiple signatures, which provide redundancy if any one key or person is compromised.

Security Level 3

An information system demonstrating Level III cryptocurrency security has implemented formal policies and procedures that are enforced at every step within their business processes to exceed enhanced levels of security. Multiple actors are required for all critical actions, data authenticity is protected by advanced authentication mechanisms, and assets are distributed geographically and organizationally in such a way to mitigate the chance of compromise to the highest degree possible.

Cryptocurrency Penetration Testing

Among the other requirements outlined above, all information systems wishing to achieve Level I CCSS compliance must make use of regular third-party security auditing and penetration testing.

Our Cryptocurrency penetration testing, including Bitcoin penetration testing, Ethereum penetration testing and more, assesses the security of cryptocurrency exchanges and platforms and identifies vulnerabilities that may pose a risk to the assets and security of users on those platforms. The goal is to uncover security flaws and risks so they can be mitigated before a bad actor is able to take advantage of them for improper or malicious purposes.

In general, cryptocurrency organizations should maintain a documented cybersecurity policy and conduct third-party penetration testing annually.

Cryptocurrency Physical Security Testing

While most cryptocurrency transactions take place virtually, bad actors are ever-determined, and the frequency of physical cryptocurrency attacks is on the rise. From brazen armed attacks to stealth, covert burglaries, malicious actors are increasingly taking their efforts offline to misappropriate Bitcoin and other high-value virtual currencies.

Physical cryptocurrency penetration testing can assess your readiness for such an attack. RedTeam Security can help you take your cryptocurrency penetration test from the digital realm to the real world, uncovering vulnerabilities not just within your networks and devices but in your facilities, access control mechanisms, and other physical assets.

Cryptocurrency Social Engineering

The highly technical world of cryptocurrency isn't immune to classical social engineering techniques like phishing and spoofing. In fact, criminals are putting new and creative spins on traditional social engineering scenarios to attack from every angle, from ICOs (initial coin offerings) to fraudulent coin wallets and more.

Social engineering testing for cryptocurrency can uncover vulnerabilities of the human variety—places where individuals may put the integrity of the currency at risk.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at 612-234-7848 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.