What I meant is that cryptography is a separate activity that "works" in a different way. The result of "crypto" should be requirements for the software to meet.

These requirements should not be limited to description of how the algorithm works but also to important details like "no logging of any cryptographic material" or "duration of operations should be independent of data being processed or success of the operation".

The general problem with developer approach to crypto is that developers decide they have finished when their piece of code works. That just doesn't work with crypto (or security in general).

As to your second comment I can say that I was the only developer at the company and there was no option for hiring other people. As a developer I try to do the best I can with the situation I am in but CEO level decisions on hiring were generally outside my influence.

Whenever you work on something sensitive and potentially dangerous you generally get into a problem of "how I am going to convince them this is safe". In my case, having math background, the solution I decided to go with was to have a written rigorous proof of correctness of the solution and have two other mathematicians and PCI verify the proof (though I have no illusions PCI auditors went through entire document).

As far as cryptography and security goes it isn't possible to prove anything is safe and secure beyond questioning. I am happy in that I did about as much as I could.