The FTC charged that the discounter engaged in an illegal practice by failing to adequately protect consumer information; storing unneeded information; failing to encrypt sensitive information; requiring only a commonly known user ID and password; and lacking sufficient security to detect unauthorized access.
Ms. Majoras declined to comment.
The settlement requires DSW to implement a comprehensive information-security program and undergo independent security audits each year for 20 years.
DSW's privacy breach was disclosed earlier this year. Credit-card numbers and transaction information on purchases in 108 stores from mid-November 2004 through mid-February 2005 were accessed by hackers, though the information included no address or pin number information. Also taken was information about 96,000 check transactions that included checking account numbers and driver's license numbers, but no names and addresses.
The Ohio Attorney General earlier sued DSW, questioning whether the company had done enough to notify customers of the breach.
The FTC said that DSW's financial documents suggest the breach could expose the company to $6.5 million to $9.5 million in losses.