Dog, read here:
https://www.pcisecuritystandards.org/index.shtml
If you process credit cards you MUST use a certified cart - and believe me, you won't be able to afford to certify a cart that was built for you. The credit card companies are sick of losing money by home made shopping carts with no security. This is their way of ensuring that the data transmitted from the cart to the gateway is absolutely secure - if there are any security holes, the cart won't pass the certification test. Qualiteam is getting by the requirement for now by making X-Payments handle the cc data, not the core X-Cart. So therefore the cart itself doesn't need to be certified. It isn't a load of crap, this is actually a very good idea and one that is long overdue. I can't tell you how many people come to me and have thousands of credit card numbers stored unencrypted in their database and don't even know it. This eliminates that from ever happening. Makes me feel better about online shopping, I can tell you that.
Aqua, you won't have to upgrade, BCS Engineering will be making the module compatible with prior versions - just waiting on the final release of X-Payments before they release their 'bridge' application.