The short answer - it is close to impossible to know with any certainty how your card number was compromised.
It is most likely that your card number was compromised (obtained) and some days, weeks or months later the number sold and then later still actually used for the fraudulent charge.

The most prevalent manner of compromise occurs when the card is physically given to a person who then takes the card out of the cardholder's presence to a payment machine for processing (most commonly a server/bartender at a restaurant). While out of view of the cardholder, the person then makes a copy of the card number, date and CVC number - sometimes by manually writing down the numbers (slow, easy to be caught), sometimes by using a phone to take a picture of the card numbers (faster but still easy to be caught), or most common now, by swiping the card through a card reader (extremely fast, very difficult to catch).

Contrary to conventional wisdom, it is rather unlikely the card was compromised due to an online transaction. This is because Payment Card Industry (PCI) standards required to be followed by entities that take credit card/online payments make it pretty much all but impossible for humans to see the card numbers at any point in processing. Card number data is immediately encrypted and truncated to prevent it from being visible and compromised throughout the transaction. If the card was a contactless payment enabled then "theoretically" it is possible for it to have been cloned but this is practically impossible because the technology used only works within a few centimeters of the card.

SP+ manages parking garages all over Arlington - is it possible you used it at a garage somewhere other than the airport but are only attributing it to the airport?