Even without paying Microsoft, you can still continue to get security updates for Windows XP.
See, the Windows XP-POS (Point of Sale) edition - used on many cash-registers and similar POS systems - still is receiving support from Microsoft, and will until Sprint 2016. WindowsXP-POS is almost feature-identical with the Home and Corporate editions of XP; XP-POS just has a few additional features specific to its needs. More importantly, patches for XP-POS work on regular XP as well.
By default, Windows XP won't see XP-POS specific patches when it checks Windows Update. But with a quick tweak to the Windows Registry, you can make your hoary old WindowsXP version poll Windows Update as if it were a WindowsXP-POS system and thus access any security updates that have been released since April 2014.
Specifically, you need to create a new DWord value named "Installed" in the registry key HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady. The value for the DWord is 1. Then just run Windows Update and install any patches as usual. If you don't know what any of that means, then you probably shouldn't even make the attempt.
Obviously, Microsoft will not support this configuration if something gets messed up and there is always the risk that Microsoft adds some sort of incompatibility to the POS patches that might brick a Home/Corporate edition of XP. There may also be licensing issues (e.g., Home and Corporate XP users may not be authorized to download and install XP-POS patches). So use at your own risk.
But if you can't bear to let that old XP installation go just yet (and you really should), at least you don't have to worry about being completely vulnerable to every security vulnerablity in that old OS.