Eh, not really. The VPN was on the same router that gave the card scanner access to phone home to the credit card company. They weren’t related at all. You couldn’t connect to the scanner’s LAN through the VPN. But since they had the same public IP, the vuln scanner counted them as in scope.

But in reality, why’s that a problem? Is the credit card scanner so tacitly busted that it can’t coexist with other hosts? Does it not use TLS? Doesn’t it pin TLS certs so that it’s not subject to MITM? Is it listening on ports with vulnerable services? There’s no excuse for the scanner being that delicate. It should be able to service an office LAN. And yet, the PCI-DSS group managed to push the responsibility for their hardware onto the network owners rather than making their own hardware robust. That’s nuts.