McAfee Secure, after all, is designed to pinpoint precisely these types of vulnerabilities.
Yes, it does pinpoint them and then gives a lovely report which you can choose to totally ignore and so long as none of the vulnerabilities are classified at the highest level you still get to display the little "McAfee Secure" logo.
It's almost, but not quite, entirely pointless - however if you need PCI DSS compliance you HAVE to have, at least, an accredited automated auditor; of which McAfee is one.
Which leads to the conclusions that:
1: PCI DSS is a crock of shit
2: McAfee secure is a marketing tool, not a security tool
3: the PCI are in bed with security vendors dreaming up new ways to screw the punters
Like 3D Secure - NONE of this has much to do with actual credit card security and EVERYTHING to do with shifting liability. The PCI couldn't care less how many people are scammed every year just as long as they're not liable for the losses.