Not strictly true, they could use the SagePay Form, that takes the client off XF.com onto SagePay's servers where the card details are entered and then they get returned to XF after the transaction, no PCI complicancy required.
You do however need a merchant account and a SagePay account, both of which cost money, so it would depend if they expect to get enough usage to make it worthwhile.