Hi Jenniffer.
Looks like caching settings on your server prevent security token to be updated properly, which results in the error message your customer received.
I suggest you to disable Prefetch Payment Popup Scripts option on plugin settings page (Advanced Settings tab).
If this isn’t helping, you should configure your server not to cache payment popup page. Following URL mask should be excluded: {yourwebsite.com}/?asp_action=show_pp. This should prevent security token from being cached and not properly regenerating for each page visitor.