Nothing wrong with that, IF it's on an isolated WAN, and not connected to the internet.
A fully patched copy of XP, with all the group/local policies set to lock it down, is very secure.
In a lot of cases, it may look like XP, but it's actually XP Embedded, which has a lot of stuff stripped out, which reduces the attack surface significantly.
It costs money to upgrade the checkout application for a new OS, and put it through rigorous testing - These things need to work almost 24/7 without crashing or needing admin intervention.
It's the old idiom: If it ain't broke, don't fix it.
