> ## Documentation Index
> Fetch the complete documentation index at: https://docs.crossmint.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Choose a Payment Method

> Agent Checkouts can pay with any method the merchant accepts — Crossmint Agent Cards, other providers, cards on file, or local methods.

Because Agent Checkouts drives the merchant's real checkout, it can pay with **any method that merchant accepts** — not just a Crossmint card. That includes:

* **Crossmint Agent Cards** — a card you issue and control with [spending rules](/agents/how-agents-pay).
* **Other agent-card providers** — an agent card from another issuer, such as **Ramp Agent Cards**, **Link**, and others.
* **A card on file** — a card already saved in the user's account at the merchant, used by [logging into the store](/agents/payment-flows/agent-checkouts-authenticated-stores).
* **Local and alternative methods** — whatever the merchant offers at checkout, like **Shop Pay**, **bank transfer**, or **Bizum**.

## How payment is collected

Choose the payment **method** in the buyer [`request`](/agents/payment-flows/agent-checkouts-buyer-context) (e.g. `"pay by card"`) so the agent knows what to use. The **card details** are the one thing you can't put in the request — the agent collects those through a **user action**: when the checkout reaches the payment step it raises a `pendingUserAction`, and you submit the details in your response during the run.

## Which card to submit

When you submit card details in the payment action, use **only an agent card or a single-use / virtual card number — never a real, reusable card number (PAN)**. A scoped or one-time number can't be reused if it leaks; a reusable PAN can be charged again, so never send one.

This is why submitting such a number is fine: the card networks put single-use and virtual numbers **outside PCI-DSS scope** precisely because they can't be reused.

* **Visa:** single-use virtual Visa account numbers are *"out of scope for PCI DSS protection requirements based on the low risk of fraud,"* and EMVCo payment tokens *"are not considered to be Visa account data and are not in scope for PCI DSS"* — while *"all other Visa primary account numbers (PANs) must be protected in accordance with PCI DSS"* ([Expanded Position on PCI DSS Applicability for Virtual Visa Accounts](https://usa.visa.com/dam/VCOM/global/support-legal/documents/expanded-pci-dss.pdf)).
* **Mastercard:** Single-Use Virtual Card Numbers are treated as out of PCI-DSS scope because the number is disabled after one authorization and cannot be reused ([Virtual Card Numbers and SDP Compliance FAQs](https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/Virtual%20Card%20Numbers%20and%20SDP%20Compliance%20FAQs%20\(15%20February%202022\).pdf)).

The agent-card programs that issue these scoped tokens are [Visa Intelligent Commerce](https://developer.visa.com/capabilities/visa-intelligent-commerce) and [Mastercard Agent Pay](https://www.mastercard.com/us/en/business/artificial-intelligence/mastercard-agent-pay.html).

<Warning>Never submit a real, reusable card number (PAN). Use an agent card or a single-use / virtual number.</Warning>
