By stopping. If it is not possible for you to penetrate a service without causing disruption or harm to others, then you stop. You could reach out to the business and say "hey, you should consider checking this out" or asking if they offer some sort of test system for pentesters. But sometimes the result is just to not proceed at all.
If he'd _needed_ to test payment (arguable), he could have created a 'real' account, deleted it, squatted his own deleted account, and sent payments to it himself.