This has been discussed a couple times throughout the forum and there's never been a clear answer.
Some PCI vulnerability scanners can populate and submit forms even when phone number and email fields exist that error out on web-based submissions. Somehow these scanners, which scan for vulnerabilities in many things such as web based forms, are able to submit these forms without triggering the errors. This essentially confirms that there's a vulnerability because the form is able to be submitted without meeting the necessary requirements.
As many have mentioned the forms are typically submitted on average of 8 times per day, per form, and are filled with 0's. The IP addresses do confirm that the forms are being filled by the scanners. This appears to happen on both encrypted and non-encrypted pages as well as on stock WP and custom themed / with addons.
Installation Status
PHP Version 5.3.3
MySQL Version 5.1.67
WordPress Version 3.5.1
Gravity Forms Version 1.6.12