Configure Optimizely Experimentation for PCI DSS compliant use

  • Updated
  • Optimizely Web Experimentation
  • Optimizely Personalization
  • Optimizely Performance Edge

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment.

Although Optimizely Experimentation and Optimizely Personalization do not process credit card information, your website might. If your website processes credit card information and you use Optimizely on those pages, you must take a few steps to maintain PCI compliance (version 3.2.1) when using Optimizely Experimentation or Optimizely Personalization. You must maintain PCI compliance for the following:

  • Testing across the checkout funnel.
  • Personalizing offers and experience in the checkout flow.
  • Tracking customer behavior on the checkout page and using it to personalize the experience elsewhere on the website.

Optimizely Web Experimentation and Optimizely Personalization are PCI-DSS version 3.2.1 Service Provider Level 2 Compliant.

See PCI compliance-related documents.

Optimizely Feature Experimentation does not affect your PCI compliance, so it does not need to be PCI-compliant.

Configure Optimizely Experimentation and Optimizely Personalization for PCI compliance

Work with your Customer Success Manager to enable PCI compliance.

  1. Go to Account Settings > Security and Privacy.
  2. Select Expire after 90 days under Password Expiration.
  3. Select Automatically log out after 15 minutes of inactivity under Automatic Logout from Inactivity.
    SettingsforPCI.png
  4. Click Save.
  5. Contact your Customer Success Manager and request that your account be put in PCI Mode. This causes changes to your account:
    • Your account uses a different URL to load Optimizely assets from the PCI-compliant Content Distribution Network (CDN): https://cdn-pci.optimizely.com
    • Your existing assets are synchronized to the new CDN.
  6. Replace your snippet in the <head> tag for your page. When your account is put in PCI Mode, your snippet changes:https://cdn-pci.optimizely.com replaces https://cdn.optimizely.com.

    Accounts-16.png

PCI-compliant CDN

The PCI-compliant CDN, https://cdn-pci.optimizely.com, differs from Optimizely's primary CDN in that it is PCI-compliant.

They are similar in some ways:

  • Both send the HTTP Strict Transport Security header.
  • Both accept connections over HTTP but respond with 301 Moved Permanently redirects that upgrade the request to HTTPS.
  • For HTTPS requests, both only accept connections over TLS 1.2+.

Confirm proper account set-up

To confirm that your account is properly set up for PCI compliance:

  1. Go to Account Settings > Security and Privacy.
  2. Select Expire after 90 days under Password Expiration.
  3. Select Automatically log out after 15 minutes of inactivity under Automatic Logout from Inactivity. Collaborators must log out and log back in for this setting to take effect on their sessions.
  4. Confirm that your snippet is in the <head> tag for your page, includes https://cdn-pci.optimizely.com (not https://cdn.optimizely.com), and is correctly implemented on your page. 

Limitations

After enabling PCI on your account, the Optimizely snippet cannot read cross-origin data from before PCI was enabled. This means that visitor behavior-based rules can only reference behavior on origins that the visitor has visited since that time.