Patch Policy and Vulnerability Severity Rating and CVSS Score
The patch policy and vulnerability checks (in the Security scan, PCI scan, PCI and PAN scan and Data Breach Risk scan) are given a High, Medium or Low severity rating based on the importance of the patch or vulnerability. This severity rating comes from the CVSS (Common Vulnerability Scoring System) framework issued by NVD - The U.S. government repository of standards based vulnerability management data. See https://nvd.nist.gov/cvss.cfm?calculator.
For example, when the CVSS score of a vulnerability is between 7.0 and 10.0, the severity rating is high. A high severity level will fail PCI compliance.