Security
How to Store Bitcoin Your Business Receives Safely
A practical guide for U.S. businesses on secure bitcoin storage: hot wallets, cold storage, multisig, custody, and key management basics.
Accepting bitcoin payments is one thing. Keeping that bitcoin safe afterward is a different problem entirely, and a lot of businesses don't think about it until something goes wrong.
This guide covers how to store the bitcoin your business receives, from basic wallet types to more serious custody arrangements. The right setup depends on your transaction volume, technical comfort, and how much risk you can absorb. Nothing here is financial, tax, or legal advice — requirements change, and you should confirm current IRS and FinCEN guidance with qualified professionals before acting.
Why Bitcoin Storage Deserves a Separate Policy
When a customer pays you in bitcoin, the funds land in whatever wallet you've configured with your payment processor. Many businesses leave it there by default. That's convenient, but it conflates payment processing with custody, and those are two different functions with different risk profiles.
A payment processor holds your bitcoin the way a cash register holds bills: it's meant to be a temporary stop, not a vault. The longer funds sit in a hot, internet-connected wallet you don't fully control, the longer they're exposed to the processor's security practices, potential hacks, and (if the processor holds your keys) counterparty risk.
Building a deliberate storage policy means deciding: how much bitcoin stays liquid for operations, where longer-term holdings go, and who controls the private keys.
Hot Wallets vs. Cold Storage: The Core Tradeoff
Hot wallets are connected to the internet. Cold storage is not. That's the whole distinction, and it matters enormously.
Hot wallets (browser extensions, mobile apps, and the custodial wallets that payment processors provide) are fast and easy to use. You can send funds in seconds. The tradeoff is that anything internet-connected is reachable by attackers. Not inevitable, but possible.
Cold storage keeps private keys offline. Common forms include hardware wallets (physical devices that sign transactions without exposing keys to a networked computer) and air-gapped machines. Funds in cold storage are much harder to steal remotely, but they're also slower to move. That's the point.
For most U.S. businesses, a reasonable approach is to keep a small working balance in a hot wallet for operational needs and sweep the rest into cold storage periodically. The exact threshold is a business decision, not a technical one. For more detail on how these two options compare in a business context, see our guide on hot wallets vs. cold storage for business bitcoin.
Who Holds the Keys
Private keys are the actual control mechanism for bitcoin. Whoever holds the keys controls the funds. This point sounds obvious but gets blurry in practice.
Custodial storage means a third party (an exchange, a processor, or a crypto custody firm) holds your keys on your behalf. You have an account with them; they hold the underlying bitcoin. This is simpler to manage but introduces counterparty risk. If they're hacked, go insolvent, or freeze withdrawals, your access depends on their situation, not yours.
Self-custody means your business holds its own keys. You're responsible for backup, security, and not losing them. That's a real burden, but it also means no third party stands between you and your funds.
Many businesses use a hybrid: custodial arrangements for a portion of holdings (especially if they have a relationship with an insured institutional custodian) and self-custody cold storage for the rest.
A few things to evaluate when choosing a custodial provider:
- Whether they hold funds in segregated accounts or commingled pools
- What insurance coverage they carry, and what it actually covers
- Whether they're registered as a Money Services Business with FinCEN, and what state money transmitter licenses apply
- Their withdrawal process and any lockup or delay periods
None of these questions have universal right answers. They're due diligence items, and the answers vary by provider.
Multisig: Removing Single Points of Failure
Single-key wallets, where one private key controls the funds, have an obvious weakness: lose or compromise that key, and you lose the bitcoin. For a business holding meaningful amounts, that's an unacceptable single point of failure.
Multisignature (multisig) wallets require multiple keys to authorize a transaction. A common setup is 2-of-3: you need any two of three keys to move funds. Keys can be held by different people (a business owner and a CFO, say) or stored in different physical locations. An attacker who compromises one key can't move the bitcoin without the others.
Multisig adds operational complexity. Signing a transaction requires coordination. But for businesses keeping substantial amounts in cold storage, that friction is usually worth it. Our article on multisig wallets for business bitcoin walks through the mechanics in detail.
Practical Key Management for Businesses
Key management is where most self-custody failures happen. The technical side of hardware wallets is straightforward; the human side is not.
Seed phrases. Hardware wallets generate a seed phrase (typically 12 or 24 words) that can recreate your wallet if the device is lost or broken. This seed is as valuable as the bitcoin it controls. It should never be stored digitally, never photographed, and never emailed. Most businesses that lose bitcoin to self-custody failures lost their seed phrase, not their device.
Physical storage options include fireproof safes, safety deposit boxes, or purpose-built metal backup plates (which survive fire and water better than paper). For a business, having the seed phrase accessible to more than one trusted person (while keeping it secure) is a real planning problem that deserves explicit thought.
Access and succession. If the person who manages your bitcoin wallet leaves the company or is incapacitated, can anyone else access the funds? This is a governance question as much as a technical one. Document your wallet setup, storage locations, and access procedures somewhere that authorized people can reach without your involvement.
Separation of duties. The person who can authorize bitcoin transactions shouldn't also be the person who can unilaterally change where bitcoin is sent. This is standard internal controls logic applied to crypto.
| Storage Type | Connectivity | Key Control | Best For |
|---|---|---|---|
| Processor/exchange wallet | Hot (online) | Custodial | Daily operational float |
| Software wallet (self-custody) | Hot (online) | Self | Short-term working balance |
| Hardware wallet | Cold (offline) | Self | Medium-term holdings |
| Institutional custodian | Varies | Custodial | Large amounts, compliance needs |
| Multisig cold storage | Cold (offline) | Self (shared) | Long-term business treasury |
Tax and Recordkeeping Implications
How you store bitcoin doesn't change your tax obligations, but it can affect your recordkeeping. The IRS treats bitcoin as property, so every time your business receives bitcoin, a taxable event may occur (the fair market value at receipt is typically income). Every time you spend or convert it, that may trigger a capital gain or loss.
You need to track the date, amount, and USD value at the time of each receipt, regardless of where the bitcoin is stored afterward. If funds move between wallets (from a processor to cold storage, for example) that's not a taxable event, but you do need clear records showing the movement is an internal transfer rather than a sale.
Payment processors generally provide transaction reports. If you're doing significant self-custody moves, keeping your own ledger of wallet-to-wallet transfers makes accounting much cleaner.
FinCEN rules may also apply depending on your business structure and transaction volumes. Confirm with a CPA or attorney who has crypto experience; this area has changed frequently and the specifics matter.
FAQ
Do we need a separate wallet for bitcoin we receive from customers?
You don't need to, but it's often worth it. Keeping customer payment inflows in a dedicated wallet makes accounting cleaner and reduces the chance that operational spending and incoming customer payments get mixed up. It also limits what an attacker can access if one wallet is compromised.
What happens if we lose our hardware wallet?
The device itself holds no funds — the bitcoin is on the blockchain. What matters is your seed phrase. If you have the seed phrase backed up securely, you can restore the wallet on a new device. If you've lost both the device and the seed phrase, the bitcoin is not recoverable. This is why seed phrase backup is non-negotiable.
Is a crypto exchange safe enough for business storage?
For a working balance you actively use, a reputable exchange with strong security practices may be acceptable. For significant long-term holdings, most security guidance recommends against leaving large amounts on any exchange. Exchanges have been hacked, frozen withdrawals during market stress, and gone insolvent. The funds you hold there depend entirely on their continued operation and good faith.
How often should we sweep funds from the payment processor to cold storage?
There's no universal rule. Common practice is to set a threshold (say, any balance over a certain USD value) and sweep on a fixed schedule. Consistency matters more than the specific interval. Ad hoc decisions tend to get skipped.
Do we need professional custody if we're a small business?
Not necessarily. Small businesses with modest bitcoin holdings often manage fine with a hardware wallet and careful seed phrase backup. Professional or institutional custody typically makes sense when holdings are large enough that the custody fees are worth the insurance, compliance documentation, or operational convenience, or when your business has regulatory requirements that demand it. See our guide on protecting your business from bitcoin payment scams for related security considerations.