Selling services around access control — outside of the traditional support agreement — used to be a fairly binary choice between hosted or managed services, as well as being a relatively heavy lift for the security integrator. With the push to cloud, subscription selling, and mobile credentialing, today’s options are easier and more plentiful — but not necessarily less confusing. What services are best to start with? Should you do a pass-through service or develop something in-house? How should you price it?

“RMR-based access control models vary by manufacturer, but the core structure is typically per-door pricing,” says David Muncie, product manager, Aiphone, Redmond, Wash. “Most [vendors] follow a tiered approach with price breaks as door counts increase. … Beyond the per-door model, additional revenue opportunities often come from add-on licenses such as expanded user counts or enhanced functionality through integrations. Since cloud-based access control is still in its early adoption phase, the terminology hasn’t fully standardized. Some manufacturers position it as ‘hosted access control,’ while others use ‘access control as a service (ACaaS).’ Ultimately, the differences are less about terminology and more about how each vendor structures pricing, features, and scalability.”

Nor do all RMR models rely on the cloud, Muncie adds. “Many are still server-based, with software hosted on-premises,” he says. “In those cases, integrators generate recurring revenue by managing services such as system monitoring, maintenance, database management, firmware updates, and credential administration.”

Roy Pangilinan, manager of cloud services, Hanwha Vision, Teaneck, N.J., agrees, “Not all RMR solutions are cloud-based. Legacy and on-premises systems still exist, often requiring the physical logins or remote desktop connections. However, the market is shifting towards the cloud because it simplifies management and allows certain tasks like adding or deactivating credentials to be delegated to end users without the need for integrator intervention.”

Kris Houle, product line manager for Security Center SaaS, Genetec, Montreal, calls this legacy model a “perpetual license.” In other words, “Once you buy it once, you own it; it’s yours,” he explains. Then, there are services that can be sold on top of that. “That’s kind of the baseline of where a recurring revenue model can com from: it’s a support model on top of something you have already purchased,” Houle says.

From there, Houle says it gets more interesting, with both infrastructure and software-as-a-service models that provide more options both to the integrator and the end user. “Infrastructure-as-a-service would provide you with virtual machines or certain equipment that we [the vendor] take care of where we run the software, but the customer is still responsible for maintaining the software piece of it. … Then there is software-as-a-service (SaaS), which is a true cloud-native type of application where all of the services around the managing of that piece of software are the vendor’s responsibility.”

For security integrators, the infrastructure-as-a-service could be done in-house or by the vendor as a “pass-through” type of service they can mark up and get a piece of that RMR. The SaaS model is usually a pass-through offering as well.

However you choose to do it, the experts agree: it is a beneficial addition to your stable of offerings, as well as an increasing popular offering for customers, who like that they pay for it as an operating expenditure (OpEx) rather than a capital expenditure (CapEx) — something more and more customers are both familiar with and interested in.

“Service-based access control transforms security from a one-time purchase into an ongoing partnership that benefits both integrators and end users,” Muncie says. “For integrators, the shift delivers predictable, recurring revenue while strengthening customer loyalty. Instead of relying solely on hardware sales and installations, integrators gain steady cash flow and long-term relationships through ongoing services.”

Ahead, we examine some of the newer offerings and models and ways to expand on them.

Cloud-Based Services

The advent of the cloud has had a profound impact on everyday life, from the way we view television, bank, order groceries, and much more. This is also true in the security space.

“The newest models are cloud-based, cloud-native,” Houle says. “You are seeing more and more of it, not just from Genetec but from everywhere. I mean, music is subscription now, and you don’t own anything anymore, right?”

This has led end users to investigate cloud options in other areas of their business, including security, Houle adds. “A lot of what is driving this is the end user is less and less willing to do all the extra work for maintaining systems themselves. They want to not have to worry about servers. They don’t want to worry about infrastructure. That requires a huge overhead on their part. They just want something that works, and they are willing to pay for it via subscription.”

This has given rise to many different options from major manufacturers spinning up cloud-based services either on their own or as an add-on to their existing offerings.

Houle says Genetec has multiple options for cloud-based access control, from Security Center SaaS, which is based on a license subscription per reader, to its ClearID, which is a cloud-based access control service designed to sit on top of a legacy installation. Security Center SaaS is a full cloud infrastructure-as-a-service platform featuring a portal for integrators that allows them to see every customer, how many licenses are with each one, and useful information about each account.

“As a systems integrator, they can monitor more efficiently; they can see when there are new features being released and be able to be more proactive with their customers because of that visibility,” Houle says. “They will be able to be more proactive with their customers because they have that visibility.”

One of newest offerings in the market is OnCAFE cloud-based access control from Hanwha Vision, released in September. “OnCAFE makes access control easy to deploy and manage, while allowing customers with existing readers and credentials to migrate to the cloud without having to do forklift upgrades,” Pangilinan says. “Licensing is by door, removing the need for expensive site licenses or large servers or upgrades.”

Alarm.com, Tysons, Va., has built its entire platform in the cloud, including its access control offerings, says Brian Lohse, general manager, Alarm.com for business. “There are a certain number of physical components on site, namely door controllers and readers, installed per usual,” he explains. “The big change from the legacy model is instead of having a local server running on-premise, the software is all run as a cloud service or software-as-a-service offering. Our partners will sell the controller and readers, and instead of selling them a server and software license, they have a monthly subscription fee for the SaaS offering.”

Pass-through services like these have several benefits for the security integrator, Lohse explains. “Recurring revenue is high margin and great. Essentially, they no longer have to do the manual integration work they are named for, which is actually very time consuming. That is the old way. With modern, cloud-based systems, the integration is done for them. It doesn’t require the same skills.”

This means it is easier to maximize the use of the skilled techs you have, saving them for the bigger, more intensive integration work, as well as making it simpler to hire and train new people on the cloud model, Lohse adds.

“Cloud-based solutions provide functions natively, with built-in monitoring, automatic updates, and centralized management,” Muncie says. “This reduces the need for extensive hands-on support, allowing integrators to focus on higher-value services while customers gain a more seamless and scalable experience.” All Aiphone controllers are cloud-enabled, giving integrators the ability to generate recurring revenue with any controller in their portfolio, he explains.

It also makes for a stickier customer, Muncie adds. “A cloud-hosted solution means there is no need for integrators to set up or maintain on-premise servers. The integrator’s role is to manage the customer relationship by handling onboarding, configuration, and other services or ongoing support as needed. This allows them to stay closely connected with their customers while we take care of the heavy lifting on the infrastructure side.”

Another opportunity the cloud has opened up for access control is mobile credentials. “It is a great opportunity to earn recurring revenue, says Sanjit Bardhan, vice president and head of mobile, HID, Austin, Texas. HID has been making mobile-ready multi-technology readers since 2016, he says. Now customers are more interested than ever in enabling those readers. While the process is simple, it does require a change to the reader using a “MOB” (mobile) key.

“The MOB key is a revenue opportunity for systems integrators,” Bardhan says. “Our biggest adoption comes from customers who want to activate those readers. That is an opportunity where the customer has already made that investment. … There is no better time than now because the market was like a sponge the last five years. End users have gotten all the information they need to deploy mobile solutions and now they are ready. Some of our most successful integrators are the ones that attacked this market right at the beginning.”

Expanding RMR Opportunities

Whether you offer a few pass-through cloud-based services or have a full-service in-house offering, the opportunities for RMR solutions are only going to expand.

“Mobile is a very sticky business,” Bardhan says, by way of example. “Mobile can be attached to other services that address a bunch of use cases. Each of those is a monetizing opportunity. Today, a mobile credential is not just used for door access. It is used for elevator dispatch, logical access, printing, ordering a coffee — and each use case requires an end user to pay a certain amount of money for that service to be enabled. When customers use multiple services, that stickiness increases.”

Use cases for cloud-based access control are also increasing, Lohse says. “We track the verticals and are seeing an enormous variety of types and sizes,” he says. While SMB is still the sweet spot, Lohse points to out-of-the-box applications such as pickleball courts and gyms, driving ranges, and other similar types of businesses. “The dealer’s customer is logging into a website and scheduling a time to rent a court, then using the phone as a mobile credential to let themselves in and use that service at that time,” he says. “We have a super interesting case in Washington state where a property is storing wine for customers. If they want to go at 10 p.m. to get a bottle of their favorite cab, they have the ability to go in and do that.”

Another way the RMR opportunity is expanding is by integrating more than just access control into one, bundled solution, Lohse says. “We see customers demanding single, unified systems. It is more effective at driving recurring revenue when you are doing a triple play sale with intrusion and video and other services,” he explains.

Companies like Genetec and Hanwha are also taking this approach. Genetec’s Security Center SaaS is also a unified offering that bundles access control and other technologies into one system, Houle says.

“Both OnCAFE (access control) and OnCloud (video management) run on Hanwha Visions’ unified cloud platform, with a common set of credentials and seamless integration between video and access control,” Pangilinan says. “Integrators can now offer customers a true ‘single pane of glass’ experience, combining video and access control under one subscription and creating reliable recurring revenue streams.”

One important thing to keep in mind is that any RMR service is not an all-or-nothing proposition for the security integrator. In fact, having some of these curated tools available can free you up to focus on the high-dollar design sales, while having a predictable monthly source of income.

“What we are seeing, particularly in the traditional integrator space, is them introducing this model as a repeatable systems model,” Lohse says. “Perhaps they put a box around it in terms of size and types of customers it is best suited for, and, within that segment, there may be a separate salesforce where they are offering a boxed solution that includes all these things. So instead of going to a customer in reactive mode, where they engineer a custom solution for them, it is a proactive offering. Then, they often have a division that is still doing the more traditional systems design work.”

Houle stresses the importance of considering adding one or more of these types of offerings. “I would encourage any systems integrator to have a support model or added service model that they can give value-add to their customers on top of anything they sell,” he says. “It is one way to differentiate yourself from your competitors.”

Muncie gives some solid advice on where to start. “The key for integrators is to approach RMR-based access control as a long-term business strategy rather than one-time project. … Start by clearly defining the service packages you’ll offer and training your team to position them as a value-added benefit rather than extra costs,” he says. “Partnering with vendors that provide robust, cloud-enabled solutions ensures you can deliver reliable, recurring services while minimizing your operational workload.

“Ultimately, leveraging cloud-based access control for RMR helps integrators generate predictable revenue, strengthen long-term customer relationships, and create a sustainable, scalable business model that benefits both the dealer and the end user.”