I'm trying to help a friend and know nothing of this. So here is what I got, hopefully someone can help!

Editted out

First question WHY are you using an Access file as a database if you are handling credit card details??

I did not code this. I think the code was written years ago too actually. I just have a friend who came to me asking if I could help and my area of expertise is not in this area... is the access file the cause of the SQL Injection?

No, but Access files can be downloaded and read if the location in the site is exposed.

Are you collecting and storing credit card information on the site?

Quote:

Originally Posted by chrishirst

No, but Access files can be downloaded and read if the location in the site is exposed.

Are you collecting and storing credit card information on the site?

Yes, he collects credit card information and uses that information to process the payment.

What steps should I assist him in making it so he is PCI Compatible?

Apart from the more pressing issue of the Access database, it looks like the PCI fail may be to do with the search form;

Code:

<input type="text" size="15" maxlength="60" name="txtKeyword" id="txtKeyword" class="ActionInput" value="Search..." onfocus="doConditionalErase();">

Who is the PCI company running the scans?

To prevent SQL injections use stored procedures (unless you decide to use Dynamic SQL inside the stored proc). This however won't help the fact that you guys are using an Access DB like Chrishirst has said. Use MS SQL, MySQL, DB2, Oracle any of these please rather than Access, especially since you are storing credit card information. Also, since what I see so far looks scary MAKE SURE YOU ARE ENCRYPTING THE CREDIT CARD INFO IN THE DATABASE!!!!!

Can you let us know what site this is so that we don't go there and buy something.

No matter what database you're using I would think you would only store the billing information *just long enough to process it* -- then securely delete it. Don't store it for historical reasons or future customer use as it may fall into the wrong hands.
Also ensure any form submission data is being checked for validity especially if doing any type of dynamic SQL commands. When I say validity I mean that if numbers are to be entered, ensure they are numbers, set a max length to acceptable values, and strip and chars that can be used for sql injection attacks (search Google for ways to combat SQL injection - tons o' information).

OK a few things..

Has anyone who actually knows the standard looked at the setup?

A few things:
Yes, using an access DB isnt great however if you have locked it down correctly then you can still pass.
You shouldn't have CC details and Security code numbers in the same DB ( or the same server )
Your servers and networks should be separated by firewalls.
You need to use 2factor authentication to management networks, The management network also needs to be separated by firewalls.
You need policys on how to change and manage the firewalls and user accounts.
Etc etc etc.

If you failed a PCI test then they should say why!

Its not a cryptic School exam! its in their best interest to have you pass otherwise you run the risk of handing CC details out and causing no end of problems for you and others!

PCI examinations and judgements vary wildly but even so your friend should have been given a detailed report outlining good and bad points of the whole setup (and that means everything from webserver config to coding standards). Some will be meaningful, some bull**** to persuade people that PCI and associated businesses are kosher, but you still have to follow it to keep accepting payments, unless of course you go the other way and hand off the card-handling side to another agency.