You might check with SecurityMetrics and find out exactly what they are testing there.
One thought I have is that dreamhost creates an “ftp” A record automatically. i.e. ftp.example.com
The service is going to answer with a login prompt even if the “user” doesn’t have privileges to login. Perhaps asking to support to delete those “ftp” A records would clear the problem. It might not tho, since the domain name itself on port 21 will still prompt for ftp login.
You didn’t say which dreamhost product you have (and it may be relevant): shared, vps, dedicated?
Also support usually jumps on helping with PCI compliance issues, Have you opened a ticket?