One can upload excel as well as csv files easily - I have been doing that at work. Down loading them is a matter of creating an excel programatically which is also not difficult - been there, done that. You don't need VBA. simple formats are easy, more complex you need office dll's on the server but this creates security issues.Personally, I suck at VBA, so I find myself resistant to the idea of creating a complex macro in a distributed spreadsheet that would allow Joe User to make heads or tails out of his data.
Security is an issue that decent programming techniques can mostly avoid. Everything can be hacked - that is a fact of life. We really don't need to store the data, just process it and return it back. They upload 2 files - historical, and the new read out from the card, they get processed and combined, an excel can be download, charts can be displayed and downloaded as pdf's and the new historical gets downloaded and saved. That way no data except membership gets saved online.
Everything uploaded will have to be checked for SQL injection and stuff like that.