Thanks for the information!
If so, I guess it is allowed to install X-Payments on the same server with X-Cart provided the shared server satisfies the requirements listed in Appendix A.
As far as I understand, it will put all web applications installed on the server into PCI DSS scope. So, you will have to satisfy the requirements listed under "Requirement 6: Develop and maintain secure systems and applications" section:
- Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches
- Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet)
- Develop software applications in accordance with PCI DSS (for example,
secure authentication and logging) and based on industry best practices, and
incorporate information security throughout the software development life cycle - Follow change control procedures for all changes to system components
- Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web ApplicatioN Security Project Guide
- For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing a web-application firewall in front of public-facing web applications
I believe the 3rd and the 5th requirements apply to all custom modifications to X-Cart and other web applications installed on the server.