A PCI compliance scan can fail on a cPanel/WHM current distribution, this can be the case even when you are running the latest release version with automatic updates enables.
The common failure of the PCI Scan relates to the version of bind that is running on the server, you can find what version you are running of bind by running
Output should be similar to …
The issue is that some PCI scan firms technically see this version as deprecated and therefore vulnerable to exploits, the reality is that this version does still receive security updates to it known as backports.
You can get a list of these backports with the following command…
rpm -q --changelog bind > bind_changelog.txt
This will output a text file with an historical list of all updates applied to the bind version including up to date security patches, just send that text file back to the PCI outfit and they should pass your server as being secure.