Why Session Timeout Matters in Luminate Online (and How to Make It Less Painful for Donors)
If you’ve noticed a new session timeout message appearing across your Blackbaud Luminate Online® pages, you’re not imagining things. Session timeouts were introduced as part of PCI DSS v4.0 compliance, specifically requirement 8.2.8, which mandates that idle sessions end after 15 minutes to protect sensitive payment data. From a security standpoint, this is a good thing. From a donor experience standpoint, the default implementation can feel abrupt, confusing, and out of sync with the rest of your digital fundraising experience.
When session timeout was rolled out, we saw the same challenge across clients: the requirement was met, but the experience wasn’t. This post explains why session timeout exists, what the default LO experience gets wrong, and how thoughtful updates to copy, styling, and context can protect compliance without undermining conversion or donor trust.
Why Session Timeout Exists in Luminate Online
PCI DSS v4.0 raised the bar on session security, particularly for environments that handle payment data. Requirement 8.2.8 states that if a user session is idle for more than 15 minutes, the user must re-authenticate to regain access. In Luminate Online, this applies broadly, not just to donation forms, but also to pages, surveys, TeamRaisers, and other interactive experiences that may touch constituent data.
Blackbaud implemented this by introducing a global session timeout pop-up. Functionally, it does what it needs to do: it warns users that their session is about to end and requires action to continue. We want to make sure that the message shows up for donors and participants without disrupting the user experience.
What the Default Experience Gets Wrong
Out of the box, the session timeout message in Luminate Online is generic and visually disconnected from most branded fundraising experiences. For donors, this can raise unnecessary friction at exactly the wrong moment.
Common problems we see:
- The language is technical and vague, offering little reassurance about what’s happening or why.
- The same copy appears everywhere, regardless of whether someone is filling out a donation form, completing a survey, or registering for a TeamRaiser.
- The styling often clashes with custom templates, making the message feel untrustworthy or even suspicious.
- There’s no clear indication of what action the user should take to continue safely.
For busy annual fund donors, especially those multitasking or pausing mid-gift, this can lead to abandonment or confusion.
Improving the Session Timeout Experience Without Breaking Compliance
PCI DSS v4.0 defines when a session must expire. It does not define how that experience should behave across different parts of Luminate Online. That distinction matters.
At Doing Good Digital, we approached session timeout as a contextual UX problem, not a one-size-fits-all message. Different LO experiences carry different levels of risk, effort, and donor frustration if a session ends unexpectedly. However, we can provide updates that reflect that reality.
Reducing friction where no data is at risk
In general, public-facing pages where users are not logged in and haven’t entered any information, the timeout warning often creates more confusion than value.
For PageBuilder pages, general TeamRaiser pages, and personal pages viewed anonymously, we hide the session timeout pop-up entirely. If there’s no form data to lose and no authentication to protect, interrupting the experience doesn’t meaningfully improve security, but it does increase cognitive load.
This is a case where meeting the spirit of PCI means knowing when not to interrupt the user.
Clear, security-forward copy for logged-in experiences
For logged-in users across Luminate Online, including member centers, personal pages, confirmation pages, and other authenticated views, we use consistent, calm language:
Copy:
“For your security, your session will expire shortly.”
CTA:
“Stay Logged In”
This reinforces that the message is about protection, not an error, and gives users a simple, confidence-building action to continue.
Explicit consequences on in-progress forms
When a user is actively filling out a form, the stakes are higher. Losing entered information is frustrating, and the timeout message should say that plainly.
For donation forms, TeamRaiser registrations, event registrations, surveys, and ecommerce flows, we update the copy to explicitly acknowledge effort and loss of progress:
Copy:
“For your security, your session will expire shortly and you will lose any information you have entered on this page.”
The call to action then matches the task the user is trying to complete:
- Finish my donation
- Finish your registration
- Finish filling out form
- Keep shopping
This removes ambiguity. Users immediately understand both why the message is appearing and what they should do next.
Confirmation pages that don’t overcorrect
Once a transaction or registration is complete, the experience shifts again. On donation thank-you pages, TeamRaiser confirmation pages, and event confirmations, we revert to the simpler logged-in message. At that point, there’s no risk of losing work, and the tone should reflect completion rather than urgency.
Brand-aligned styling that builds trust
When a pop-up doesn’t look like the rest of your site, donors hesitate. We align fonts, colors, spacing, and buttons with existing Luminate Online templates so the timeout message feels like a natural part of your digital ecosystem.
This is especially important for hospital foundations, where trust and professionalism are critical to donor confidence.
What This Means for Your Annual Giving Performance
Session timeout is now part of the Luminate Online reality. Ignoring it isn’t an option, but optimizing it is.
A clearer, better-branded timeout experience can:
- Reduce donor confusion at high-intent moments
- Lower abandonment caused by uncertainty or fear
Reinforce your organization’s professionalism and attention to detail - Protect compliance without sacrificing conversion
These are small changes, but they sit at a critical intersection of security, UX, and fundraising performance.
If you want help reviewing or improving your Luminate Online session timeout experience, or you’re unsure whether your current setup balances compliance and conversion, we’d love to chat. We’ll walk through your specific LO configuration and help you make practical, compliant improvements that support your annual giving goals.
