Scams are more nuanced now. Deepfakes are more convincing. And at a time when one-click checkouts and real-time payments are the norm, security has soared far beyond being a mere ‘tech team problem’.
In Mastercard’s January 2025 global survey of more than 5000 small business owners, 79 per cent said effective cybersecurity is critical to business operations, and 70 per cent would direct extra budget to security first.
The big change in 2026 is that organisations are finally treating cyber, fraud and payment risks as one connected system – because threat actors are already treating them as such. Nearly half of surveyed businesses have already experienced a cyberattack, making this shift urgent.
Startup Daily spoke to Aditi Sawhney, senior vice president of security solutions for Mastercard’s Asia-Pacific region, to find out what priorities startups should have at the top of their lists.
It’s all to mark the launch of Mastercard Digital Doors™ Australia, a free platform with exclusive offers and trials for Mastercard Business cardholders only, and special resources on topics including cybersecurity, payment security and management.
Now, Sawhney’s advice:
Priority 1: Stop fighting fraud and cyber in separate silos
“Cybersecurity in 2026 is defined by an always-on, AI-powered threat landscape that looks very different from just a year ago,” Sawhney tells us. “The top priority now is breaking down silos between cyber and fraud defences.”
Sawhney points to a growing recognition that fragmented defences cause blind spots – especially as “cyber-enabled fraud” accelerates across the region.
If you’re a founder or business owner, that translates to an obvious question: are your fraud signals (chargebacks, account takeovers, suspicious onboarding) flowing to the same people and dashboards as your cybersecurity signals (skimming attempts, credential stuffing, phishing reports)?
If not, 2026 must be the year to connect them – even if it’s just a shared weekly review and a sole incident playbook.
Priority 2: Fight AI with AI – and do it in real-time
“Companies must harness AI and real-time data to outpace AI-driven attacks,” Sawhney says, explaining that attackers are weaponising generative AI through “deepfakes and bots at scale”.
This matters because modern fraud doesn’t always look like fraud until it’s far too late. In payments, Sawhney says “new fraud patterns such as AI-assisted scams seem to be accelerating” including deepfake and chatbot-driven social engineering, synthetic identities, real-time payment scams and more.
“These authorised, self-initiated scams are particularly challenging because systems do not flag a ‘user-approved’ transaction as fraudulent,” she says. “The result is a faster fraud cycle that exploits any delay or silo in detection.”
Her view is that the biggest wins in 2026 will come from “adopting layered, intelligent controls that work behind the scenes”, using network-level monitoring and AI to cut down fraud without piling friction onto legitimate customers.
Priority 3: Identity is the battleground, so make security ‘invisible’
Sawhney’s third priority is identity: “Identity is the new battleground. From deepfake scams to synthetic identities, most attacks now begin with compromised credentials.”
That’s why she expects more businesses to move away from passwords and SMS one-time passcodes (OTPs) and instead adopt stronger methods.
“The future is passkeys and biometrics, as a secure, device-based credential – using standards like FIDO [Fast Identity Online] – that ties your authentication to something you have, like your phone or laptop, on top of something you are, like a fingerprint or face ID.”
Identity theft is a concern for small businesses, and startups are especially vulnerable as they scale.
Another fear that businesses that sell online have is checkout friction. But Sawhney argues the direction of travel is the opposite: “Businesses should view passkeys and biometrics as an opportunity to streamline the customer experience while bolstering security.”
Solutions like Click to Pay show that security and convenience can co-exist. “When combined with passkeys or biometrics, Click to Pay enables a fast, password-free checkout experience that’s both trusted and frictionless,” adds Sawhney.
The operating principle she comes back to is simple: “At Mastercard, we often say security should be ‘invisible yet omnipresent’. It should surround every interaction without putting burden on the customer. In practice, that means using risk-based authentication: let low-risk transactions through with minimal friction, and only prompt a biometric or passkey confirmation when something looks suspicious.”
Priority 4: Privacy-by-design is a non-negotiable
If privacy-by-design sounds like something only enterprises can afford, Sawhney says that’s simply not the case.
“Privacy-by-design might sound like a luxury for cash-strapped startups, but in reality, it’s a mindset and methodology that can save you money and build customer trust,” she says.
Her baseline advice is disciplined data minimisation and protection – including using tokenisation so you’re not having to store credit card numbers in the first place.
And then there’s the cost factor – an average data breach now costs USD$4.4 million globally.
So, vendor due diligence should be top of mind. In particular, payment and data vendors should bring end-to-end encryption, strong access controls, tokenisation and faster breach detection and notifications.
Security as a growth asset
“In today’s digital economy, security is a strategic growth enabler,” Sawhney says. “For startups and scaleups alike, treating cybersecurity as a trust asset rather than a cost centre can yield significant returns.”
There’s also the fact that implementing better fraud controls can minimise false declines and recover sales that would otherwise be lost.
For founders and operators seeking out their next best steps, head to the Mastercard Trust Centre for deeper research, education and handy tools, as well as the Mastercard Digital Doors™ Australia business hub for actionable guides across cybersecurity, payments security, data privacy and more.
This article is brought to you by Startup Daily in partnership with Mastercard.
Daily startup news and insights, delivered to your inbox.