PCI compliance is a weird animal. Depending on who does the scanning, a company can have a lot of work to do or very little. PCI compliance in a nutshell is required by credit card processing companies to scan any business that holds credit cards on file in house. If they don't pass the penetration test they won't be able to process the cards internally.

Today I dealt with a company who is required to have two form factor authentication with a company called Truetwave for their VPN connections. I have tons of customers that get scanned for PCI compliance and no one has had this requirement. It makes me wonder if they are in cahoots with these vendors to force them in a certain direction to spend more money. It's way too random to be logical.