You are misinterpreting this. PA-DSS requirement 11.2, as it says, is derived from PCI-DSS requirement 8.3 which requires two factor authentication for remote access. The problem is that how your customers are accessing X-Payments does not fall under the definition of remote access. The PCI-DSS FAQ on the definition of remote access says:
"PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the companyâ–“s own network"
So its VPN-style network-level access that is being referred to, not web application logins. If remote access included people logging into a web application then every gateway out there would be in violation of PCI-DSS 8.3. But all the gateways are QSA certified. As PA-DSS 11.2 is derived from PCI-DSS 8.3 the same definition of remote access applies.
Granted PA-DSS 11.2 could be written better for clarity (as can a whole lot of PCI-DSS and PA-DSS) but the reference back to the PCI-DSS requirements are there so you can refer back to the PCI-DSS to understand the intent of the PA-DSS requirements.
You might also want to take a look at the fact that none of your competitors (at least that I have been able to find) that are PA-DSS certified have implemented two factor authentication.