The term “crypto” covers the fast-growing sector which includes cryptocurrencies, DEFI, metaverses, NFTs, cryptocurrency exchanges and numerous other innovations. What has become apparent over the short time this sector has grown out of a cyberpunks project into a valid replacement for fiat as a unit of exchange and a store of value is a lack of information security. Hacks that have resulted in billions of investment dollars forever lost by the public and institutions is an almost daily occurrence.
We have seen hacks resulting from private keys hard coded into code files published on Internet based source code repositories with misconfigured permissions resulting in the public having access to the code (and the private key!) to a lack of patching systems, poor user management and poor secure coding standards. Overall, a general lack of understanding or care in implementing the most basic of security controls. It does not help that most projects in the “crypto” space have a policy of keeping the project owners and developers anonymous providing an environment of no accountability in whatever they create.
Public and institutional investors are seeking assurances that the “crypto” project they are investing in is secure and securely managed. This is where basic information security management standards such as PCI DSS comes in and combined with the Cryptocurrency Security Standard (CCSS) investors can gain a high-level of assurance from any project compliant with these standards that information security has been taken seriously.
This post discusses how PCI DSS and CCSS when implemented can provide a robust information security framework for any “crypto” project.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that covers the basic security controls recommended to protect payment systems that process, transmit or store credit card data. The standard also addresses the supporting systems and other internal/external entities involved with the payment process which could impact the security of credit card data such as service providers.
PCI DSS was created in response to the constantly growing breaches involving credit card data which exposed what appeared to be a lack of basic security controls being applied by businesses to their information security systems. Many of us have been impacted directly by a breach involving our credit cards often causing at the very least annoyance of having to cancel our credit card and monitoring credit transactions almost daily.
The Standard provides a robust and detailed set of security controls that must be applied in order to provide the most effective protection against attacks. Controls such as change management, patch management, user account management, physical security, incident response management, network and firewall management and key management, to name a few, are covered by the standard.
Implementing PCI DSS within an organization can provide a high-level of confidence to customers, merchant acquiring banks and other interested parties that at least the basic security controls are in-place which greatly reduces the risk of a breach.
A major benefit of PCI DSS is that a business does not even need to provide credit card payments to benefit from implementing PCI DSS. The standard’s listed controls can be selected and implemented by any business to enhance their information security management systems and have confidence in using a robust and mature standard.
Cryptocurrency as a store of value or a unit of exchange is still new when compared to fiat and precious metals. However, the sector is rapidly growing with new services and concepts such as Defi, the metaverse, NFT, tokens and DAOs being used by people daily and with billions of fiat invested flowing through these services and protocols.
As with any sector in start-up mode security generally is not at the forefront of the creator’s focus – appealing to investors and users with cool tech, functionality and ROI is and will consume all the available resources the start-up has available. This is a dangerous situation to be in when we consider the amount of investment flowing into this sector from not only institutional investors but the public. Scams are plentiful and “rug-pulls” almost occur daily, but even start-ups that want to provide a legitimate service that adds value to their customers aren’t doing themselves any favors by offering a service where the security of the system is an afterthought.
A business that offers “crypto” products and services is just like any business that uses IT systems – security needs to be considered and incorporated into the IT systems even before production use. This is where the benefits of implementing a security standard such as PCI DSS really shines by guiding the business in implementing basic information security controls that greatly reduce the risk of a breach.
For a business providing “crypto” products and services cryptography security is a major concern since the core foundation of cryptocurrency is cryptography. PCI DSS covers cryptography security in detail since cryptography is recommended for the protection of payment data while in transit and at rest. PCI DSS should be considered by any business providing “crypto” products and services as the standard not only covers the basic general security controls to help protect all information systems but provides very good coverage of cryptography security controls including key management which is a critical process when dealing with cryptocurrencies.
PCI DSS goes some way in providing the basic controls of information security especially around cryptography implementation and key management. However, cryptocurrency use heavily relies of “wallets” for conducting cryptocurrency transactions and extends the functions around cryptography where the basic information security standards such as PCI DSS does not provide controls.
A cryptocurrency wallet is a software application which provides the functions that interfaces with blockchains. A blockchain is a transaction ledger which records each transaction made with its cryptocurrency. You don’t need a wallet to transact with a cryptocurrencies blockchain but it’s very complicated for the general user where one mistake such as not entering in the correct wallet address results in permanent loss of the cryptocurrencies involved with that transaction. Cryptocurrency wallets were designed to hide the complexity of blockchain interactions with the aim to allow any person with limited technology skills to start using cryptocurrencies. The security of a cryptocurrency wallet is paramount as this is the interface which gives direct access and control of the cryptocurrencies that the wallet can interact with. This is where Cryptocurrency Security Standard (CCSS) comes into the picture.
Cryptocurrency Security Standard (CCSS)
The Cryptocurrency Security Standard (CCSS) is an open standard which focuses on the management security of cryptocurrency wallets. The CCSS is maintained by the CCSS Steering Committee which has as its members key knowledge matter experts in the field of cryptocurrency such as Dirk Anderson, Petri Basson, Mike Belshe, Stefan Beyer, Jameson Lopp, Joshua McDougall, Michael Perklin, Ron Stoner, and Joe Ventura. The Cryptocurrency Certification Consortium (C4) which provides certifications for Bitcoin and Ethereum is planning to offer an auditors certification for CCSS.
The CCSS is not designed to replace existing information security standards such as PCI DSS – it is designed to provide additional controls focused on cryptocurrency wallets. Ignoring base-line information security standards such as PCI DSS and ISO 27001 and only implementing CCSS is not recommended as CCSS only covers a small subset of the controls needed to protect information systems.
- Level 1: Covers the basics of cryptocurrency wallet management
- Level 2: Adds enhancements to the base controls in level 1
- Level 3: Adds formalised policies and procedures and further enhancements to the security and resiliency of wallet management
Fitting PCI DSS & the CCSS Together
The benefits of implementing PCI DSS standard to the organisation also considering CCSS is that the Level 3 requirements for formalised policies and procedures and robust key management is already required by PCI DSS therefore reaching and becoming compliant with CCSS Level 3 is a much simpler exercise.
You can find more information about CCSS here. For more information on PCI DSS please visit our pages on the PCI DSS Basics.
Need More Help?
We can help you understand the best practices for wallet management and security. We can also help you demonstrate your PCI DSS compliance. Contact us for more information.