Skip to main content
menu_icon.png

Everything you need to switch from Optimizely Classic to X in one place: See the Optimizely X Web Transition Guide.

x
Optimizely Knowledge Base

Configure Optimizely X for PCI DSS compliant use

This article is about Optimizely X. If you're using Optimizely Classic, check this article out instead.
 
relevant products:
  • Optimizely X Web Experimentation
  • Optimizely X Web Personalization
  • Optimizely X Web Recommendations

THIS ARTICLE WILL HELP YOU:
  • Identify which Optimizely platforms and products are PCI-compliant
  • Configure Optimizely X for PCI-compliant use
  • Avoid configurations that could affect your PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment.

Although Optimizely doesn’t process credit card information, your website might. If your website processes credit card information and you use Optimizely on those pages, you’ll need to take a few steps to make sure you maintain PCI compliance when using Optimizely. If you're using Optimizely for any of these activities, you'll need to maintain PCI compliance:

  • Testing across the checkout funnel

  • Personalizing offers and experience in the checkout flow

  • Tracking customer behavior on the checkout page and using it to personalize the experience elsewhere on the website

Optimizely X Web Experimentation, Personalization, and Recommendations are PCI-DSS version 3.2 Service Provider Level 2 Compliant. Here are our compliance-related documents:

This blog post includes details about PCI compliance and Optimizely X.

Optimizely Full Stack, Mobile, and OTT don’t affect your PCI compliance, so they don’t need to be PCI-compliant.

PCI compliance is available in select Enterprise plans for Optimizely X. PCI compliance is not available in Optimizely Classic.

Configure Optimizely X for PCI compliance

There are a couple initial requirements to make sure you’re using Optimizely X compliantly:

  • PCI compliance is available on select Enterprise plans

  • All users in your account must use only Optimizely X, with no projects or collaborators in Optimizely Classic

Work with your Customer Success Manager to enable PCI compliance.

Here’s how to configure your account settings for PCI compliance, with step-by-step instructions below:

  1. Navigate to Account Settings > Account Overview.

  2. Under Password Expiration, select Expire after 90 days.

  3. Under Automatic Logout from Inactivity, select Automatically log out after 15 minutes of inactivity.

  4. Click Save.

  5. Contact your Customer Success Manager and request that your account is put in PCI Mode. This will cause two changes to your account:

    a) Your account will use a different URL to load Optimizely assets from our PCI-compliant Content Distribution Network (CDN): https://cdn-pci.optimizely.com

    b) Your existing assets will be synced to the new CDN

  6. Replace your snippet in the <head> tag for your page. When your account is put in PCI Mode, your snippet will change (https://cdn-pci.optimizely.com will replace https://cdn.optimizely.com).

PCI-compliant CDN

The PCI-compliant CDN, https://cdn-pci.optimizely.com, differs from Optimizely’s primary CDN in two ways:

  • It is PCI-compliant

  • Assets can’t be loaded over HTTP; only HTTPS is supported

Confirm proper account set-up

To confirm that your account is properly set up for PCI compliance, here's what to check:

  1. Navigate to Account Settings > Account Overview.

  2. Under Password Expiration, confirm that the setting is Expire after 90 days.

  3. Under Automatic Logout from Inactivity, confirm that the setting is Automatically log out after 15 minutes of inactivity. Collaborators will need to log out and log back in for this setting to take effect on their sessions.

  4. Confirm that the snippet in the <head> tag for your page includes https://cdn-pci.optimizely.com (not https://cdn.optimizely.com) and is correctly implemented on your page. 

Limitations and alternatives

PCI compliance is available in select Enterprise plans for Optimizely X. PCI compliance is not available in Optimizely Classic. If you still use Classic for some or all of your projects, you can transition to Optimizely X. You also have two alternative methods for using Optimizely without affecting PCI compliance.

Also, even if all your projects use Optimizely X, none of your account’s users can have collaborator roles on any Classic projects. Collaborators on Classic projects could be exposed to functionality that isn’t PCI-compliant.

After enabling PCI on your account, the Optimizely snippet will be unable to read cross-origin data from before PCI was enabled. This means that visitor behavior-based rules will only be able to reference behavior on origins that the visitor has visited since that time.