Blast Analytics and Marketing

Analytics Blog

Supporting Leaders to EVOLVE
header image for optimizely x pci blog post
Category: Digital Experience

Optimizely X: PCI Compliance and What It Means for You

Breaking news from the team at Optimizely!

As recently announced, their newest testing platform, Optimizely X, now meets demanding PCI compliance security standards specified by the Payment Card Industry Data Security Standard (PCI DSS).

Previously, if you were using Optimizely to test on a PCI compliant site, the guidelines stated that you could not test any pages on which a user input payment information. Most importantly this meant that you could not run experiments on your whole purchase funnel, you could only test the top of the funnel.

This recent update allows Optimizely X customers to experiment on the entire purchase funnel of their PCI compliant sites!

What is PCI and Why Does It Matter?

We’ve all become familiar with news stories about the latest leak of private information from websites big and small.

As the volume of online transactions continues to increase, so does the risk of a data breach. Data security becomes particularly important when credit card and payment information data is involved. The PCI DSS is a set of standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

image for pci and dss compliance

Prior to becoming compliant, Optimizely users working on PCI-compliant sites were restricted to testing at the top of the purchase funnel, before credit card or payment information gets entered.

Therefore, optimizing the most critical piece of your funnel was off-limits; your testing plans could not incorporate the entire purchase funnel. For instance, if you found that your billing page was causing significant friction and losing customers, you were out of luck.

There was previously no way you could run tests on your billing page to optimize the user experience, without putting the security of your user’s payment information at risk. This was a significant limitation for any testing program looking to positively impact their business.

For those of you interested in the specifics, Optimizely X now meets the security standards detailed in “PCI Data Security Standard version 3.2 Level Service Provider.

What PCI Compliance means for Optimizely X Customers

image showing PCI complianceBy meeting the standards defined by the PCI, Optimizely X can now be used anywhere on any PCI compliant site, giving it’s users the ability to experiment across the full checkout flow of PCI compliant sites. Optimization of these key parts of the purchase process will undoubtedly improve conversion and reduce cart abandonment rates.

Alongside being able to experiment on these parts of PCI-compliant sites, users can now also work on personalization of the checkout flow. Optimizely X customers will have the ability to:

  • Target users within the checkout flow with upsells and recommendations
  • Target promotions to users during the checkout flow based on their past browsing behavior
  • Gather data on user behavior within the checkout flow for use in personalization campaigns elsewhere on your site

pci compliance for purchase funnel image

These use cases highlight how Optimizely X’s new PCI compliance opens up a number of testing and personalization possibilities that did not exist previously.

If you previously set aside test plans because of the lack of PCI compliance, now is the time to re-engage!

PCI Compliance and the Optimizely X Product Suite

It is important to note that only the following Optimizely X products and plans are PCI compliant:

There is no extra cost associated with compliance, as long as you are a customer subscribing to one of the above Optimizely X products.

Enabling PCI in Optimizely X

image showing enabling of pci complianceTo enable PCI compliance you must first be a customer subscribing to one of the Optimizely X products outlined above. Secondly, all users and projects within your account must use only Optimizely X. No collaborators or projects can remain within Optimizely Classic.

Once you meet these initial requirements you will then need to follow these steps:

  1. Within Optimizely X navigate to Account Settings > Account Overview
  2. Under Password Expiration, select Expire after 90 days
  3. Check the box next to Automatic log out after 15 minutes of inactivity

image of where to enable pci compliance on optimizely x

4. Save these account changes

  • Now you will need to contact your Customer Success Manager at Optimizely request that they update your account to PCI Mode.
  • Once your Customer Success Manager has completed this step there will be two changes to your account:
    1. First, your account will use a different URL to load all assets associated with Optimizely. Your account will now use which is Optimizely’s new PCI-compliant Content Distribution Network.
    2. Second, all your existing Optimizely assets will be synced with this new CDN – you don’t need to recreate any aspects of your existing Optimizely Experiments to ensure PCI compliance.
  • You will see that when your account is in PCI Mode your Optimizely snippet gets updated so that it makes a request from the new PCI-compliant CDN, will replace
  • You will need to copy your new snippet and paste it just below the <head> tag on every page on your site you wish to run Optimizely on, replacing the previous Optimizely snippet you would have had there.

Once this is complete you are PCI-compliant and good to run tests and personalization campaigns on any pages in which payment details are involved!

Is Optimizely Classic PCI Compliant?

optimizely logoNo, only the products and plans specified above within the Optimizely X suite are PCI compliant. If you are an existing Optimizely Classic customer then you will need to upgrade your subscription to Optimizely X Premium to achieve compliance.

Alternatively, Optimizely has detailed a number of workarounds you can implement to ensure your Classic installation achieves compliance. These workarounds involve either hosting a static version of your optimizely snippet on your own server, or embedding any credit card form fields on your site through an iFrame. Both will involve your developers’ time and the second option limits the changes you can make to the checkout process to experiment upon.

Therefore, we recommend upgrading to Optimizely X! There are a lot more benefits besides PCI compliance that we’ll be detailing in a future post.

As a 3-star partner of Optimizely, Blast has experience getting clients set up on Optimizely X, and providing data-driven test recommendations targeting the entire purchasing funnel. If you’re ready to expand your testing efforts and would like assistance in transitioning to Optimizely X, Blast is here to help! Contact us to discuss your current or future testing and personalization needs.

Alex Molineux
About the Author

Alex is a Senior Analytics Optimization Consultant at Blast Analytics who leverages his expertise in analytics strategy, implementation and optimization to help clients translate data into actionable insights. He is an expert in a wide variety of analytics and testing tools with a focus on Google Analytics, Google Tag Manager, Tealium IQ & AudienceStream, Optimizely and Google Optimize. Whether you’re looking to build out an analytics strategy to gather insights into your core business questions or you are looking to run an effective A/B testing or personalization campaign he is able to use his expertise to guide and support you.

Connect with Alex on LinkedIn. Alex Molineux has written on the Blast Digital Customer Experience and Analytics Blog.

We’re here to help with tips and insights on the following topics:

Data Management Digital Analytics Digital Experience Digital Transformation Marketing Activation User Privacy
HIPAA and Analytics White Paper CTA

Featured White Paper

Healthcare Analytics and HIPAA: Ways to Minimize Risk and Ensure Compliance

The rise in digital data and analytics adds complexity and risk for healthcare organizations. Those that don’t comply with data privacy requirements, including Health Insurance Portability and Accountability Act (HIPAA), could face heavy fines, civil action lawsuits, and even criminal charges. Not to mention loss of patient trust.

Download the White Paper

Ready To Do More With Your Data?

If you have questions or you’re ready to discuss how Blast can help you EVOLVE your organization, talk to an Analytics Consultant today.

Call 1 (888) 252-7866 or contact us below.