Optimizely X: PCI Compliance and What It Means for You

June 2, 2017Alex Molineux

Breaking news from the team at Optimizely!

As recently announced, their newest testing platform, Optimizely X, now meets demanding PCI compliance security standards specified by the Payment Card Industry Data Security Standard (PCI DSS).

Previously, if you were using Optimizely to test on a PCI compliant site, the guidelines stated that you could not test any pages on which a user input payment information. Most importantly this meant that you could not run experiments on your whole purchase funnel, you could only test the top of the funnel.

This recent update allows Optimizely X customers to experiment on the entire purchase funnel of their PCI compliant sites!

What is PCI and Why Does It Matter?

We’ve all become familiar with news stories about the latest leak of private information from websites big and small.

As the volume of online transactions continues to increase, so does the risk of a data breach. Data security becomes particularly important when credit card and payment information data is involved. The PCI DSS is a set of standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

Prior to becoming compliant, Optimizely users working on PCI-compliant sites were restricted to testing at the top of the purchase funnel, before credit card or payment information gets entered.

Therefore, optimizing the most critical piece of your funnel was off-limits; your testing plans could not incorporate the entire purchase funnel. For instance, if you found that your billing page was causing significant friction and losing customers, you were out of luck.

There was previously no way you could run tests on your billing page to optimize the user experience, without putting the security of your user’s payment information at risk. This was a significant limitation for any testing program looking to positively impact their business.

For those of you interested in the specifics, Optimizely X now meets the security standards detailed in “PCI Data Security Standard version 3.2 Level Service Provider.”

What PCI Compliance means for Optimizely X Customers

By meeting the standards defined by the PCI, Optimizely X can now be used anywhere on any PCI compliant site, giving it’s users the ability to experiment across the full checkout flow of PCI compliant sites. Optimization of these key parts of the purchase process will undoubtedly improve conversion and reduce cart abandonment rates.

Alongside being able to experiment on these parts of PCI-compliant sites, users can now also work on personalization of the checkout flow. Optimizely X customers will have the ability to:

• Target users within the checkout flow with upsells and recommendations
• Target promotions to users during the checkout flow based on their past browsing behavior
• Gather data on user behavior within the checkout flow for use in personalization campaigns elsewhere on your site

These use cases highlight how Optimizely X’s new PCI compliance opens up a number of testing and personalization possibilities that did not exist previously.

If you previously set aside test plans because of the lack of PCI compliance, now is the time to re-engage!

PCI Compliance and the Optimizely X Product Suite

It is important to note that only the following Optimizely X products and plans are PCI compliant:

• Optimizely X Web Experimentation – Premium
• Optimizely X Web Personalization – Professional
• Optimizely X Web Recommendations

There is no extra cost associated with compliance, as long as you are a customer subscribing to one of the above Optimizely X products.

Enabling PCI in Optimizely X

To enable PCI compliance you must first be a customer subscribing to one of the Optimizely X products outlined above. Secondly, all users and projects within your account must use only Optimizely X. No collaborators or projects can remain within Optimizely Classic.

Once you meet these initial requirements you will then need to follow these steps:

1. Within Optimizely X navigate to Account Settings > Account Overview
2. Under Password Expiration, select Expire after 90 days
3. Check the box next to Automatic log out after 15 minutes of inactivity

4. Save these account changes

• Now you will need to contact your Customer Success Manager at Optimizely request that they update your account to PCI Mode.
• Once your Customer Success Manager has completed this step there will be two changes to your account:
  1. First, your account will use a different URL to load all assets associated with Optimizely. Your account will now use https://cdn-pci.optimizely.com which is Optimizely’s new PCI-compliant Content Distribution Network.
  2. Second, all your existing Optimizely assets will be synced with this new CDN – you don’t need to recreate any aspects of your existing Optimizely Experiments to ensure PCI compliance.
• You will see that when your account is in PCI Mode your Optimizely snippet gets updated so that it makes a request from the new PCI-compliant CDN, https://cdn-pci.optimizely.com will replace https://cdn.optimizely.com
• You will need to copy your new snippet and paste it just below the <head> tag on every page on your site you wish to run Optimizely on, replacing the previous Optimizely snippet you would have had there.

Once this is complete you are PCI-compliant and good to run tests and personalization campaigns on any pages in which payment details are involved!

Is Optimizely Classic PCI Compliant?

No, only the products and plans specified above within the Optimizely X suite are PCI compliant. If you are an existing Optimizely Classic customer then you will need to upgrade your subscription to Optimizely X Premium to achieve compliance.

Alternatively, Optimizely has detailed a number of workarounds you can implement to ensure your Classic installation achieves compliance. These workarounds involve either hosting a static version of your optimizely snippet on your own server, or embedding any credit card form fields on your site through an iFrame. Both will involve your developers’ time and the second option limits the changes you can make to the checkout process to experiment upon.

Therefore, we recommend upgrading to Optimizely X! There are a lot more benefits besides PCI compliance that we’ll be detailing in a future post.

As a 3-star partner of Optimizely, Blast has experience getting clients set up on Optimizely X, and providing data-driven test recommendations targeting the entire purchasing funnel. If you’re ready to expand your testing efforts and would like assistance in transitioning to Optimizely X, Blast is here to help! Contact us to discuss your current or future testing and personalization needs.

About the Author

Alex Molineux

Alex is Associate Manager of Optimization at Blast Analytics. He leverages his expertise in analytics strategy, implementation and optimization to help clients translate data into actionable insights, and is an expert in a wide variety of analytics and testing tools with a focus on Google Analytics, Google Tag Manager, Tealium IQ & AudienceStream, Optimizely and Google Optimize. Whether you’re looking to build out an analytics strategy to gather insights into your core business questions or you are looking to run an effective A/B testing or personalization campaign, he is able to use his expertise to guide and support you.

Connect with Alex on LinkedIn. Alex Molineux has written 12 posts on the Blast Digital Customer Experience and Analytics Blog.