PCI compliance version 3.2.1: Configure Optimizely Experimentation for PCI DSS compliant use

  • Updated

This topic describes how to:

  • Identify which Optimizely Experimentation platforms and products are PCI-compliant
  • Configure Optimizely Experimentation for PCI-compliant use
  • Avoid configurations that could affect your PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment.

Although Optimizely Experimentation does not process credit card information, your website might. If your website processes credit card information and you use Optimizely Experimentation on those pages, you will need to take a few steps to make sure you maintain PCI compliance when using Optimizely Experimentation. If you are using Optimizely Experimentation for any of these activities, you will need to maintain PCI compliance:

  • Testing across the checkout funnel

  • Personalizing offers and experience in the checkout flow

  • Tracking customer behavior on the checkout page and using it to personalize the experience elsewhere on the website

Optimizely Web Experimentation and Optimizely Web Personalization are PCI-DSS version 3.2.1 Service Provider Level 2 Compliant.

Please view our PCI compliance-related documents

  • Attestation of Compliance

  • Shared Responsibility Matrix

Optimizely Feature Experimentation doesn’t affect your PCI compliance, so it doesn’t need to be PCI-compliant.

PCI compliance is available for select Optimizely Experimentation packages.


Configure Optimizely Experimentation for PCI compliance

There are a couple of initial requirements to make sure you’re using Optimizely Experimentation compliantly:

Work with your Customer Success Manager to enable PCI compliance.

Here’s how to configure your account settings for PCI compliance, with step-by-step instructions below:


  1. Navigate to Account Settings > Security and Privacy.

  2. Under Password Expiration, select Expire after 90 days.

  3. Under Automatic Logout from Inactivity, select Automatically log out after 15 minutes of inactivity.

  4. Click Save.

  5. Contact your Customer Success Manager and request that your account is put in PCI Mode. This will cause two changes to your account:

    a) Your account will use a different URL to load Optimizely Experimentation assets from our PCI-compliant Content Distribution Network (CDN): https://cdn-pci.optimizely.com

    b) Your existing assets will be synced to the new CDN

  6. Replace your snippet in the the <head> tag for your page. When your account is put in PCI Mode, your snippet will change (https://cdn-pci.optimizely.com will replace https://cdn.optimizely.com).


For further information about the internal steps to proceed with the PCI migration, please refer to this document.


PCI-compliant CDN

The PCI-compliant CDN, https://cdn-pci.optimizely.com, differs from Optimizely Experimentation’s primary CDN in two ways:

  • It is PCI-compliant

  • It does not send the Strict Transport Security header; in contrast, the non-PCI CDN sends this header (for HTTPS requests only, since browsers ignore this header in insecure-HTTP responses)

They are similar in some ways as well:

  • Both accept connections over HTTP, but respond with 301 Moved Permanently redirects that upgrade the request to HTTPS

  • For HTTPS requests, both only accept connections over TLS 1.2+

Confirm proper account set-up

To confirm that your account is properly set up for PCI compliance, here's what to check:

  1. Navigate to Account Settings > Security and Privacy.

  2. Under Password Expiration, confirm that the setting is Expire after 90 days.

  3. Under Automatic Logout from Inactivity, confirm that the setting is Automatically log out after 15 minutes of inactivity. Collaborators will need to log out and log back in for this setting to take effect on their sessions.

  4. Confirm that the snippet in the <head> tag for your page includes https://cdn-pci.optimizely.com (not https://cdn.optimizely.com) and is correctly implemented on your page. 


PCI compliance is available for select Optimizely Experimentation packages.

After enabling PCI on your account, the Optimizely Experimentation snippet will be unable to read cross-origin data from before PCI was enabled. This means that visitor behavior-based rules will only be able to reference behavior on origins that the visitor has visited since that time.