PCI & FTC Compliance for Arizona Auto Dealers | Coeus Consulting

PCI DSS & FTC Safeguards violations cost Arizona dealers up to $50,120 per incident. See what’s required and how Coeus Consulting closes the gap.

Two Overlapping Compliance Obligations at Every Transaction

Every time a customer swipes a card at your parts counter, finances a vehicle in your F&I office, or books a service appointment online, your dealership takes on two separate, overlapping compliance obligations — and most Arizona dealers only know about one of them.

The FTC Safeguards Rule governs how you protect customer financial data as a “financial institution” under the Gramm-Leach-Bliley Act — a classification that applies to nearly every dealership offering financing, leasing, or extended service contracts. Violations run up to $50,120 per incident. Separately, PCI DSS (Payment Card Industry Data Security Standard) governs how you handle card payment data specifically, with non-compliance penalties reaching $43,792 per violation plus the card networks’ own fines and, in a breach scenario, forensic investigation costs that dwarf both.

What Scottsdale, Tempe, Mesa, Gilbert & Glendale Dealers Need to Know

For dealerships in Scottsdale, Tempe, Mesa, Gilbert, and Glendale, this isn’t theoretical. Arizona also layers on its own dealer-data protection statute (A.R.S. § 28-4651), which restricts how manufacturers and third parties can access, share, or hold a dealership’s data hostage — meaning a modern dealership’s compliance surface now spans federal financial regulation, federal payment-card standards, and state dealer-data law simultaneously.

Coeus Consulting has spent the past year building out dedicated automotive managed IT and cybersecurity services for Phoenix-metro dealerships, anchored by real, in-market work — including a multi-location engagement with Berge Automotive Group that moved a seven-dealership operation off end-of-life systems and reactive break-fix support onto a proactive, compliance-ready managed IT environment. That’s not theoretical either — it’s the same architecture this article walks through below.

Why Two Different Rules Apply to the Same Transaction

Here’s where most dealership GMs and controllers get confused: FTC Safeguards and PCI DSS aren’t the same requirement wearing two names. They cover different data, enforced by different bodies, with different technical expectations.

FTC Safeguards Rule protects nonpublic personal information — the full financial picture: SSNs, income data, credit applications, loan terms — anything your F&I office collects to structure a deal. It requires a written information security program, a designated Qualified Individual responsible for that program, and documented risk assessments.

PCI DSS protects cardholder data specifically — the card number, expiration date, and security code moving through your point-of-sale systems at the parts counter, service drive, and sales office. It requires network segmentation, encryption of stored and transmitted card data, and — depending on your processing volume and method — completion of the correct Self-Assessment Questionnaire (SAQ) type, as defined by the PCI Security Standards Council.

A dealership can be fully PCI compliant and still fail an FTC Safeguards audit, or vice versa. Both matter, and both get audited independently.

The PCI Gap Most Dealerships Don’t Know They Have

The most common PCI failure point at Arizona dealerships isn’t malicious — it’s architectural. Card terminals in the service bay, the parts department, and the sales floor are frequently sitting on the same flat network as the DMS (Dealer Management System), the Wi-Fi guests use in the customer lounge, and the diagnostic tools techs plug into vehicles.

That’s scope creep in PCI terms: once card-processing systems share a network with everything else, your entire network falls inside PCI’s compliance boundary, not just the terminals themselves. The fix is network segmentation — isolating payment systems on their own VLAN, away from DMS traffic, guest Wi-Fi, and diagnostic equipment — paired with point-to-point encryption (P2PE) or tokenization at the terminal itself, so card data is encrypted before it ever touches the dealership’s internal network.

For dealerships still running card terminals integrated directly into legacy DMS platforms — CDK Global, Reynolds & Reynolds, Dealertrack, VinSolutions, or eLeads — this segmentation work needs to happen around those systems, since ripping out a DMS mid-year isn’t realistic for most groups. It’s exactly the kind of surgical network work an MSP with dealership-specific experience should be doing, not a generalist IT provider treating your service drive like a standard office.

What FTC Safeguards Actually Requires (Beyond a Policy Document)

A written policy alone doesn’t satisfy 16 CFR Part 314. Per the FTC’s own compliance guidance — which includes FAQs specifically addressing motor vehicle dealers — the rule requires, among other elements:

  • A named Qualified Individual accountable for the security program — someone who can actually answer for it in an audit, not just a title on paper
  • Multi-factor authentication for anyone accessing customer financial information
  • Encryption of customer data at rest and in transit
  • Regular risk assessments, documented and dated
  • An incident response plan — not hypothetical, but tested

The dealerships that get burned aren’t the ones with no policy. They’re the ones with a policy nobody follows, written once during a prior compliance scare and never updated since.

A Regional Note: Scottsdale, Tempe, Mesa, Gilbert, and Glendale

Auto dealership density across the East and West Valley means Phoenix-metro dealerships are watching each other’s compliance posture as closely as any regulator does — a breach at one Scottsdale luxury group or one Mesa high-volume store becomes local industry news fast, and referral relationships between service departments and lenders can be sensitive to a dealership’s security reputation. Whether you’re a single-location store in Gilbert or a multi-rooftop group spanning Glendale to Tempe, the compliance bar is identical under federal law — but the local reputational cost of getting it wrong is not. The National Automobile Dealers Association has increasingly flagged data privacy and cybersecurity as a top compliance priority for franchised dealers nationally, and Arizona’s dealership market is no exception.

The 2024 CDK Outage Was a Preview, Not an Anomaly

The industry-wide CDK Global outage disrupted dealership operations nationally for days, and it demonstrated something Arizona dealers should sit with: when your DMS goes down, PCI and FTC compliance don’t pause — but your ability to process transactions securely, verify identity, and log access does. Business continuity planning and compliance are no longer separate conversations.

Frequently Asked Questions

What is PCI DSS, and does my dealership need to comply? PCI DSS is the security standard for any business that accepts, processes, or stores credit card data. If your dealership’s parts counter, service drive, or sales office runs card payments in any form, PCI DSS applies to you, regardless of dealership size.

What’s the difference between the FTC Safeguards Rule and PCI DSS? The FTC Safeguards Rule protects customer financial information collected during financing and lending, enforced under the Gramm-Leach-Bliley Act. PCI DSS protects payment card data specifically, enforced by the card networks. A dealership needs to satisfy both, separately.

How much can non-compliance actually cost my dealership? FTC Safeguards Rule violations can reach $50,120 per incident. PCI DSS non-compliance penalties can reach $43,792 per violation, before factoring in card network fines or breach-related forensic and notification costs.

Does Arizona have its own data privacy requirements beyond federal rules? Yes. A.R.S. § 28-4651 restricts how manufacturers and third-party vendors can access, share, or restrict a dealership’s own data — including a specific prohibition on “cyber ransom” tactics — adding a state-level layer on top of federal FTC and PCI obligations for Arizona dealerships.

Getting Compliant Doesn’t Mean Doing It Alone

PCI and FTC compliance are ongoing operational disciplines, not one-time projects — which is exactly why dealerships across Scottsdale, Tempe, Mesa, Gilbert, and Glendale partner with an MSP that understands both the regulatory requirements and the specific architecture of a dealership’s technology stack. Coeus Consulting works directly with Arizona auto groups — including Berge Automotive Group — to segment payment networks, implement the Safeguards Rule’s required controls, and keep documentation audit-ready year-round.

Ready to close your dealership’s compliance gaps?

If your dealership’s network hasn’t had a real look at how PCI and FTC Safeguards requirements intersect with your DMS, your card terminals, and your F&I office, now is the time — not after an audit or a breach forces the issue. Schedule a free automotive IT and compliance consultation with Coeus Consulting, or call (602) 932-6387 to talk with our team directly. We work with dealerships across Scottsdale, Tempe, Mesa, Gilbert, Glendale, and the entire Phoenix metro — visit our automotive services page to see how we’ve helped groups like Berge Automotive Group get to a “Known State.”


About Coeus Consulting

Coeus Consulting is a BBB A+ rated managed IT service provider and cybersecurity consulting firm based in Phoenix, Arizona, serving small-to-medium businesses across the Southwest. Built around the proprietary Coeus Codex framework, Coeus delivers managed IT, advanced cybersecurity, compliance advisory, and cloud solutions tailored to high-stakes industries including automotive, healthcare, legal, construction, manufacturing, finance, and semiconductor. Coeus’s automotive practice works directly with Phoenix-area dealership groups — including Berge Automotive Group — to move dealership technology from reactive break-fix support to a proactive, audit-ready managed environment. Learn more at coe.us or contact the team.

About the Author

John Gormally is the Digital Marketing Coordinator at Coeus Consulting, bringing 28 years of enterprise cybersecurity experience from roles at Cisco Systems, Citrix, BlackBerry, IBM, LogRhythm, and Proofpoint. A 6-year U.S. Marine Corps veteran and MBA holder, John co-authored graduate cybersecurity curriculum at Cal State San Marcos and has spoken at ISSA and ISACA events. He writes on cybersecurity, compliance, and managed IT topics for Coeus Consulting’s blog, translating enterprise-level security experience into practical guidance for the small-to-medium businesses Coeus serves across Arizona and the Southwest.

LinkedIn Profile: John Gormally, MBA | LinkedIn