Figured it out.
Our security guy was tightening up the server in preparation for going live.
He added:
Code:
Header always set X-Frame-Options DENY
into the Apache config. That killed the iFrame that X-Payments was using.
Once we commented out that line and restarted Apache, all was good.