I think that it is more important from a compliance standpoint to consider hosting the database on a separate server than x-payments. But I also believe that since x-cart is not PA-DSS validated, then it compromises the pci-compliance of whatever server it is installed on.
The point of the compliance is to prevent breaches and ensure the security of the web server, so a non-validated applications existence would seemingly bring the entire server out of compliance. So to be completely safe you might need 3 servers!!!
Getting your site to be compliant is such a grey area that it doesn't seem to be worth the effort. What we need to do is find out how many conversions will be lost due to re-direction before we can consider that option.
The general consensus is that re-directing customers away from the site to the hosted gateway will decrease conversions.
I found some opinions on the net to the contrary:
http://forum.boagworld.com/discussion/6549/payment-gateways-on-site-processing-or-hosted-page
One could make the argument that clients feel safer entering their info at PayPal or Authorize.net, but I am not a believer yet.