Dealership IT

FTC Safeguards Rule IT Checklist for Auto Dealerships

A practical IT checklist for auto dealerships reviewing FTC Safeguards Rule readiness, vendor access, customer data protection, and documentation.

Auto dealerships handle customer financial information every day. Credit applications, deal jackets, scanned IDs, lender portals, payment systems, DMS records, CRM records, printer queues, shared folders, and vendor integrations all create risk.

The FTC Safeguards Rule turns that risk into an operating requirement. A dealership needs a written information security program, controls that fit the business, and evidence that those controls are maintained. This checklist focuses on the IT and infrastructure areas that usually need attention first.

Start With Ownership

Every dealership should know who owns the security program and who owns each system that touches customer information.

  • Name the qualified individual responsible for the program.
  • List the DMS, CRM, desking, F&I, lender, payment, document storage, and accounting systems in use.
  • Identify which systems contain customer information.
  • Identify which systems connect to systems that contain customer information.
  • List every service provider with access to customer information or dealership systems.

For dealer groups, repeat this by rooftop. The same vendor name can hide different local practices at each store.

Review Identity And Access

Access control is usually where dealership risk spreads fastest.

  • Require MFA for email, remote access, DMS-adjacent systems, admin portals, and cloud services.
  • Remove shared accounts where practical.
  • Disable accounts immediately when employees leave.
  • Review manager, finance, accounting, and admin privileges.
  • Separate vendor accounts from employee accounts.
  • Keep a record of who approved privileged access.

Pay special attention to F&I, accounting, service managers, BDC, and anyone with broad DMS or document access.

Secure Vendor Remote Access

Dealerships depend on outside vendors, but unmanaged remote access creates audit and breach risk.

  • Maintain a vendor access inventory.
  • Require named vendor users where possible.
  • Remove old VPN, remote desktop, screen-sharing, and unattended support tools.
  • Limit access by system, time, and business need.
  • Log vendor access where practical.
  • Review service-provider security expectations in contracts.

If nobody can say which vendors can still reach the network, that is an urgent finding.

Protect Workstations And Devices

Dealership endpoints live in rough conditions and high-turnover departments.

  • Deploy managed endpoint protection or EDR.
  • Patch operating systems and browsers.
  • Encrypt laptops and portable devices.
  • Standardize workstation builds by department.
  • Lock down local admin rights.
  • Replace unsupported operating systems.
  • Track service-lane tablets, shared PCs, scan stations, and finance workstations.

Do not ignore parts counters, service desks, old scan PCs, label printers, and back-office machines. They often have more access than anyone remembers.

Segment The Network

A dealership network should not be one flat space.

  • Separate guest WiFi from business systems.
  • Segment cameras, access control, phones, service devices, and office systems where practical.
  • Protect DMS access paths and F&I systems.
  • Review firewall rules and VPN access.
  • Confirm that lot WiFi and showroom WiFi are not exposing internal systems.

Segmentation does not need to be exotic. It needs to be understandable, documented, and maintained.

Document Backup And Recovery

Backups are only useful if the dealership can restore operations.

  • Identify which systems are cloud-only, vendor-hosted, local, or hybrid.
  • Confirm backup coverage for file shares, key local systems, and configuration exports.
  • Export firewall, switch, WiFi, and phone configuration where appropriate.
  • Document recovery steps for internet, phones, DMS access, finance workflows, and service operations.
  • Test restores before an incident.

Dealership continuity depends on knowing what can keep running when a vendor, circuit, server, or workstation fleet fails.

Leave Evidence

Compliance work fails when the dealership does the right work but cannot prove it.

  • Keep risk assessment notes.
  • Keep asset and vendor inventories.
  • Keep access review records.
  • Keep MFA, endpoint, backup, and patching evidence.
  • Keep network diagrams, rack photos, and ISP circuit notes.
  • Keep incident response and recovery procedures.

Standard Infrastructure can help review the technical controls, clean up the infrastructure, and produce dealership-specific documentation that a general MSP often misses. For a practical starting point, request a dealership IT assessment.

Not sure what to buy first?

Start with an infrastructure assessment

Request Assessment See Pricing

Not sure what to ask for?

Text us photos of the messy part.

Send rack, closet, cabling, WiFi gear, ISP handoff, UPS, camera, access-control, or problem-area photos. We can usually tell you what needs to be documented, traced, stabilized, or planned next.

Text Photos to (310) 862-6862 Start Assessment