Specifications include, but are not limited to: The Contractor must provide Approved Scanning Vendor services in accordance to the PCI Security Standards Council to include, an annual internal and external penetration testing of DCA and IAD PCI environments. The Airports Authority has several sources that process credit card transactions. These sources are as follows: x DCA airport parking revenue system x IAD Airport parking revenue system x 11 standalone POS terminals x 4 Web applications For the purposes of internal and external penetration testing, the Contractor shall scan 20 IP addresses on an annual basis. However, the number of IP addresses is expected to increase during the term of the contract. As part of the Airports Authority’s strategic plan, developing other sources of revenue may require the development of new applications, increasing the number of source web applications during the term of the contract.