Skip to main content


Optimizely Knowledge Base

PCI DSS compliance best practices with Optimizely Classic

  • Identify which parts of your site require attention for PCI DSS compliance
  • Select the best way to optimize the pages your visitors use to send you their credit card information in a PCI-compliant manner

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. 

Optimizely is, however, often used on the pages in a checkout funnel where visitors are asked to enter their credit card details. Although Optimizely doesn't transmit or process data at this point, this is a touchpoint with your visitor's customer data. Generally, any system that could potentially be used to get to your visitors' credit card data is within scope of PCI DSS and therefore has to adhere to the strict rule the payment industry has worked out to protect cardholder's sensitive information.

Optimizely falls into this category since it allows you to write JavaScript in an experiment and deploy it quickly to your site. This is generally helpful functionality that allows you to be agile without adhering to fixed release and deployment cycles; that said, it is important to adhere to PCI DSS where credit card information is collected.

If you're using Optimizely Classic, this article will help you use Optimizely in compliance with PCI DSS.

Optimizely X is PCI compliant. Check out this article to learn how to configure Optimizely for PCI-compliant use to experiment on a checkout page.

Option 1: Host a static copy of your snippet and include it in your release audit

To ensure that nobody can interfere with or intercept your visitor's credit card data while they are entering or submitting it, the PCI standard requires you to audit and check all code deployed to this specific step in your payment process before you put it online. This is typically a process within your organization where multiple people manually check to make sure this data ends up in exactly the place it should be, and isn't sent anywhere else.

You can make Optimizely part of this process. Instead of pointing to the Optimizely snippet on our content delivery network (CDN) that will dynamically update with any change you save in Optimizely or when you start or stop an experiment from the Optimizely Editor, save a static copy of this snippet, make it part of the code audit you're performing as part of PCI DSS, and host it on your own server.

Here's the process that you have to go through for every change to an experiment that affects this step in the payment funnel:

  1. Create an experiment in Optimizely, change a currently running experiment or stop it.

  2. Save your Optimizely snippet (which is a static JavaScript file available under your project-specific URL, such as // to your desktop.

  3. Submit the snippet as part of the PCI DSS compliant code release process you go through for any changes to the credit card data-related steps in your payment funnel.

  4. The page that collects credit card data from visitors must not point to the version of your snippet that we host and update for you (e.g. <script type="text/javascript" src="//"></script>), but instead must point to the version you host on your own server and that went through the PCI DSS compliant code release process.

  5. Be aware that any changes you make to your Optimizely project will only be reflected once you update your self-hosted version of the snippet. Stopping the experiment from the Optimizely Editor will only actually stop the experiment on your site once you went through the above steps.

You can continue use Optimizely as usually on all other pages. PCI DSS is only relevant to the one part of your site where visitors enter credit card information.

Option 2: Embed Credit Card form field through an iFrame

If you want to remove Optimizely from the scope of PCI DSS compliance completely, you can choose to add the actual form field where customers enter their credit card details onto your page through an iframe or redirect users to a payment page hosted by your payment processor. This is the case with many popular payment processors such as Stripe, Paypal or Adyen.

Optimizely code then can't access these fields, essentially shielding it from our snippet. On the down side, you also won't be able to change these fields and optimize them without actually making a separate version of this form available.