I’m looking for recommendations for vendors – quite possibly start-ups – who can help with two challenging requirements for an app I’m building right now. We’re really open to new and innovative solutions to these two challenges. I’ve got a lot of control in terms of dictating choice of browser, selection of hardware, and even choice of operating system (I could probably, for example, require the use of Macs).

Any recommendations, links, or insights would be really appreciated. I’ve spent some time poking around online, but there’s a ton of companies offering the same old crap that would probably be hell to integrate with a modern web app.

So here’s the situation. My client is a successful, long-standing consultancy in the fitness industry. In 2006 we developed a web application for managing the personal training departments of fitness clubs. This system is in use in approximately 20 organizations in Canada and the US, some of which are quite large. There are currently 1100 users of the system, which tracks over 50,000 clients and some 80,000 transactions totaling $25 million in sales for these clubs. The business model is Software-as-a-Service in conjunction with ongoing consulting and training, primarily to improve operations, sales, and human resource management.

We are currently developing a new and significantly expanded platform, using Ruby on Rails as our web application platform. We believe this application has the potential to acquire many new clients who are frustrated with current software solutions for the fitness industry, which tend to be bloated, complicated and hard-to-use.

One important thing to note about this system is that it handles multiple clubs, which are separate businesses in their own right, with their own clients, bank accounts, etc.

We’re currently faced with two challenging requirements for the system.

Access Control

Clubs need to control access to their club. Some do this by keeping staff at a front-desk, others do this with a completely automated system. When clients walk in the front door, they need to swipe a card, enter a code, or use a biometric system (our preference is for the latter; the trend seems to be to use hand scanners that accept a code but also require hand placement on a pad for entry). The system needs to send this information to the web application, which will return a success/failure response in the case of a fully automated system, or display the client profile to front desk staff.

Requirements for working in a club:

• physical scan to gain entry: card swipe or preferably, something biometric like a hand scanner. * can process many thousands of clients. * can prevent clients from entrance if they fail to be recognized, or if a failure code (e.g. membership expiry) is returned when the scan is performed.

Requirements for integration with web application:

• sends identification information to computer in a way that can be read by a web application. Process: device scans the client, sends client’s ID number to the web application, web application responds with yes/no for entry, and displays client information to front-desk staff. One possibility would be the availability of software, presumably provided by the manufacturer of the device, that would transmit the information read by the device into a web form, i.e. it would work like a keyboard wedge. We are open to recommendations.

• When a client account is created, a unique identifier will be created by the web application. The device must provide some method of storing this unique identifier, either in the card itself in a card reader, or via some other method in other (e.g. biometric situations). In other words, the device must provide an interface that allows for the web application to set up new clients in conjunction with the device and the access control system.

Payment Processing

The application must be able to process credit- and debit-card payments. Most of these will be card-present transactions, both credit- and debit-card based. Customers of the fitness clubs (who are the customers of my client) that use the application will often be present to swipe their cards for their payments to be processed, which requires integration with PIN pads. Some of these will be one-time transactions, others will be recurring.

The application deals with separate businesses that all have their own bank accounts. The money from transactions processed by the app has to be deposited into the bank accounts that belong to individual businesses. I believe this means that PCI requirements are substantially more onerous for an app like this because my client is classed as a payment service provider, rather than just a user. My conversations with payment providers have indicated that the cost of this type of certification is much too high for my client to afford (something in the range of $100k, for hiring an independent security assessor and working with them to achieve compliance).

Additionally, if possible, the application should also support electronic funds transfer.

So far I think my preference is for partnership with a vendor who is already PCI-certified and has the PIN pads for card-present transactions, whose software has a good API that I can interact with via this web application.

I’ve got lots of experience with traditional e-commerce models in Rails, and I’m comfortable with the technical aspects of dealing with multiple bank accounts, but the certification requirements appear to be the major obstacle so far.