How SQL Injection Works
It's true that we don't quite know the attack vector that was used to install trojan(s) on the CardSystems network. In my opinion, the three most likely possibilities are:
If you've ever wondered how SQL injection works... and how best to protect yourself against common web application attacks, this overview from UNIXwiz is one of the best I've seen.
UNIXwiz: SQL Injection - by Example