For any ecommerce i would recommend a dedicated host or at minimal a vps server where you can manage your site as the only site on the host. Many times on shared hosts the server has been compromised as well.

I'd export your products, start on a new host, re-setup your cart and import your products and start clean and then use some of the free/cheap PCI compliance audits to verify your site as much as possible. Reading through the questionnaire will answer any concerns about what you should be doing to secure your site, data and customer info.

Next time, assuming you don't do international sales or not from certain countries, you need to firewall off CHINA, RUSSIA, ROMANIA, ALBANIA, UKRAINE, NIGERIA... etc. to keep the hackers from easily getting to your site.

If you just sell to the US/CA market I would drop in the entire APNIC, AFRINIC, LACNIC and RIPE into the firewall just to sleep better at night.

I know X-Cart recently had an issue with a security exploit, but I don't recall it being an SQL injection.