Back to use cases
01 FINTECH Regulated sectors Critical

FinTech — PSD2/PCI-DSS Payment Gateway

European financial entity implements a payment gateway compliant with PSD2 and PCI-DSS level 1.

intake ★★★
architect ★★★
vigil ★★★
licit ★★★
Architecture diagram
Context

A European financial entity implements a payment gateway compliant with PSD2 (Strong Customer Authentication) and PCI-DSS level 1. Requirements come from four departments: regulatory (legal PDFs), product (Jira), security (Confluence), and architecture (Google Docs). Operating in the EU, the EU AI Act requires documenting AI usage in development.

Flow with 4 tools
Phase 01 intake

Regulatory requirements normalization

Captures from Jira, Confluence, legal PDFs and Google Docs. Detects 47 functional requirements deduplicated from 83, 12 non-functional, 6 conflicts between sources.

◻ intake 
intake init "Payment Gateway PSD2" \
  --source jira://PAYMENTS/sprint-42 \
  --source confluence://arch/payment-rfc \
  --source docs/psd2-regulation-v3.pdf \
  --source gdocs://1a2b3c4d/meeting-notes-payments \
  --mode enterprise
Phase 02 architect

Implementation with financial guardrails

Pipeline with protected files, vigil and licit quality gates, and code rules blocking verify=False for PCI-DSS.

△ architect 
architect pipeline pipelines/payment-feature.yaml \
  --var task="SCA Authentication Service" \
  --var spec_dir="specs/payment-gateway/"
Phase 03 vigil

Financial security verification

Verifies crypto dependencies, JWT lifetime, encryption algorithms, and real asserts in payment tests.

◇ vigil 
vigil scan src/services/payment/ --format sarif --output vigil-payment.sarif
Phase 04 licit

Regulatory compliance and provenance

Initializes provenance tracking, generates FRIA, Annex IV, and evaluates EU AI Act and OWASP Agentic compliance.

⬡ licit 
licit init
licit trace --since "2024-01-01"
licit fria
licit annex-iv
licit report --format markdown
licit verify --min-score 75
CI/CD Pipeline
.github/workflows/payment-pipeline.yml 
name: Payment Gateway CI/CD
on:
  pull_request:
    paths: ['src/services/payment/**']
jobs:
  spec-compliance:
    steps:
      - run: intake verify specs/payment-gateway/ --project-dir . --format junit
  security-scan:
    steps:
      - run: vigil scan src/services/payment/ --format sarif --output vigil.sarif
  regulatory-compliance:
    needs: [security-scan]
    steps:
      - run: |
          licit trace
          licit connect vigil --sarif vigil.sarif
          licit verify --min-score 75
Why licit is critical here

In European fintech, the EU AI Act requires documenting AI usage in high-risk systems. A payment gateway using AI agents to generate code needs: provenance tracking, FRIA, Annex IV, and OWASP evaluation. Without licit, this compliance would require weeks of manual work per audit.