I don't see anywhere where the OP will allow the extra data bits of the PIN to be passed with the credential?
So that would rule out the HAI as the "gatekeeper" so to speak, which would mean the ACS would be the primary and then drive a KS zone on the HAI to operate, but they would both be dissimilar.
I'd stand by the same question to the OP...what is the level of integration desired? Arm/disarm OP from outside only?