The Central Bank of Kenya (CBK) has officially authorized Safaricom to implement phone number masking for M-Pesa transactions. The decision marks a significant shift in how personal data is handled within Kenya’s massive mobile money ecosystem.
The approval follows years of growing consumer frustration over data harvesting. Under the previous system, every time a customer made a payment via Lipa na M-Pesa, their full name and phone number were transmitted to the merchant. This often resulted in customers being bombarded with unsolicited marketing texts, promotional calls, and, in some cases, targeted scams.
The new masking feature ensures that only a truncated version of a customer’s phone number is visible to the recipient. For instance, instead of seeing a full 10-digit number, a merchant’s confirmation message might display a redacted format such as 0722XXXX89.
This technical adjustment achieves two critical goals:
- Verification: Merchants can still confirm that a transaction has originated from a specific customer by matching the visible digits and the transaction code.
- Anonymity: It prevents businesses from building private databases of customer phone numbers for secondary use without explicit consent.
The CBK’s move is a direct response to the Data Protection Act of 2019, which mandates that companies practice data minimization. The law requires that only the information strictly necessary for a transaction be shared. By masking numbers, Safaricom aligns its operations with these legal standards, shielding itself and its partners from potential litigation over privacy breaches.
while the change is a victory for privacy, it presents a new challenge for small and medium-sized enterprises (SMEs) that relied on M-Pesa data to build loyalty programs or follow up on customer orders. These businesses will now need to adopt more formal, consent-based methods to collect customer information.
The rollout is expected to prioritize Lipa na M-Pesa (Buy Goods and Paybill) channels, where the volume of transactions, and the risk of data misuse, is highest.