Dealership IT

DMS Vendor Access Checklist for Auto Dealerships

A practical checklist for managing DMS vendors, OEM portals, remote access tools, finance systems, and third-party technology access at auto dealerships.

Dealership technology depends on vendors. DMS providers, OEM systems, CRM, desking, digital retailing, finance, phones, payments, websites, marketing, cameras, access control, printers, scan tools, and service-lane platforms all need some kind of access.

That access can be useful, necessary, and dangerous at the same time. If a dealership does not know which vendors can reach which systems, every outage, audit, employee change, or security incident becomes harder to manage.

Use this checklist to clean up vendor and DMS-adjacent access without creating unnecessary operational friction.

Build The Vendor Inventory

Start with a simple list before changing permissions.

  • DMS provider and support contacts.
  • OEM/manufacturer portals and support paths.
  • CRM, desking, digital retailing, inventory, website, and marketing platforms.
  • Finance, lender, credit application, payment, and document vendors.
  • Phone, call tracking, SMS, and customer communication vendors.
  • Printer, scanner, forms, signature pad, and document workflow vendors.
  • Camera, access control, alarm, and lot-security vendors.
  • MSP, cybersecurity, backup, cabling, WiFi, and network vendors.

For each vendor, document the business owner, technical owner, login method, remote access method, support contact, contract owner, and systems touched.

Separate Named Accounts From Shared Accounts

Shared accounts are common in dealerships, but they create avoidable risk.

  • Prefer named accounts for vendor users.
  • Remove generic accounts that no longer have a clear owner.
  • Do not share employee accounts with vendors.
  • Require MFA where supported.
  • Record who approved elevated access.
  • Review privileged accounts quarterly.

If a vendor says they need a shared login, document why and limit what that account can access.

Review Remote Access Tools

Remote access tends to accumulate over years.

  • List VPN accounts.
  • List remote desktop access.
  • List unattended support agents.
  • List screen-sharing tools.
  • List firewall rules and port forwards.
  • List cloud admin portals vendors can access.

Remove old tools and accounts before adding new ones. Multiple forgotten remote access paths are a common dealership security gap.

Limit Access By Role And System

Vendor access should match the work being done.

  • DMS vendors should not automatically have broad network access.
  • Printer vendors should not have access to F&I shares.
  • Camera vendors should not have access to office systems.
  • Marketing vendors should not control email or DNS without oversight.
  • Service-lane vendors should not bypass endpoint security standards.

The test is simple: if the vendor account is misused, what can it reach?

Keep Escalation Notes

During a dealership outage, vendor contact confusion wastes time.

  • Support portal URL.
  • Account number or rooftop identifier.
  • After-hours support path.
  • Named account manager or escalation contact.
  • Authorized dealership contacts.
  • Known dependencies and common finger-pointing areas.
  • Notes from previous outages or cutovers.

This is especially important for DMS, phones, internet circuits, payment systems, and service-lane tools.

Tie Vendor Access To Employee Changes

Dealership turnover can leave vendor and portal access messy.

  • Remove departed employees from DMS, OEM portals, email, CRM, finance systems, and remote access.
  • Review managers who approve vendor access.
  • Reassign vendor notifications from personal inboxes to role-based ownership where practical.
  • Check whether former employees had vendor admin access.

Employee offboarding should include dealership systems, not only email.

Include Vendor Access In FTC Safeguards Work

The FTC Safeguards Rule expects dealerships to oversee service providers that can affect customer information security.

Useful evidence includes:

  • Vendor inventory.
  • Access review notes.
  • MFA and remote access records.
  • Contract/security review notes where available.
  • Incident response and escalation notes.
  • Documentation showing old access was removed.

This does not need to become paperwork theater. It needs to be accurate enough that dealership leadership can explain who has access and why.

Standard Infrastructure helps dealerships clean up vendor access, DMS dependencies, remote support paths, and infrastructure documentation as part of a dealership IT assessment.

Not sure what to buy first?

Start with an infrastructure assessment

Request Assessment See Pricing

Not sure what to ask for?

Text us photos of the messy part.

Send rack, closet, cabling, WiFi gear, ISP handoff, UPS, camera, access-control, or problem-area photos. We can usually tell you what needs to be documented, traced, stabilized, or planned next.

Text Photos to (310) 862-6862 Start Assessment