When reports emerged in early March that Safaricom would begin masking phone numbers in M-PESA transaction notifications, the details were thin.
The Central Bank of Kenya had approved the change for the service to apply to merchant payments, and it was framed broadly as a privacy improvement aligned with the Data Protection Act 2019.
What was missing was the specifics: which services were affected, how it would work in practice, and when it would actually go live. Safaricom answered some of those questions at a media briefing and also, perhaps unintentionally, raised new ones.
The go-live date is March 24. The primary change is to M-PESA’s person-to-person Send Money function, which processes 37 million transactions daily with a combined value of KES 27 billion, out of a total of 137.9 million daily M-PESA transactions worth KES 118 billion.
The platform has 14.1 million daily active P2P customers. Those numbers make this one of the most consequential privacy changes Safaricom has made to M-PESA since the service launched.
What Changes on March 24
When someone sends you money via M-PESA, the confirmation SMS you receive from Safaricom shows the sender’s full three names and their full phone number.
From March 24, the number will be partially hidden, formatted as, for example, 0722***000. The sender’s first and last names will still appear. All other transaction details, including the date, reference number, and amount, remain the same.
Separately, Safaricom is also rolling out the same masking to Buy Goods and Paybill SMS notifications for small traders, who had previously been excluded from an earlier wave of changes that applied only to large organizations integrated directly to the C2B and Buy Goods APIs.
That earlier wave went out in 2023 and 2024. The SME extension goes live alongside the P2P change.
The change also trims the name displayed. Previously, M-PESA showed three names. Going forward it shows two, picking the first and last name with no option for customers to choose which two are shown.
The 334 Opt-In
Safaricom has built a workaround for cases where a recipient needs to identify a sender. You can forward the transaction SMS to 334, which triggers a request to the sender asking whether they are willing to share their full name and phone number.
If they agree, you get the details by return message, but if they decline, you are notified of their decision. Each request is valid for 24 hours and is capped at one per transaction.
The design places the decision entirely with the sender. That is intentional from a privacy standpoint, but it creates a real gap for commercial disputes.
The Dispute Problem
The scenario Safaricom’s briefing materials did not address is the transaction dispute. When a customer claims to have sent money to the wrong till number or claims an erroneous deduction, merchants and their accounts teams have typically cross-referenced the sender’s full phone number against their own records to verify the claim.
A masked number breaks that process because the business cannot independently confirm a caller’s identity. Under the 334 system, the merchant would have to request verification, and the sender would have to voluntarily cooperate before the merchant could confirm anything.
Whether full sender details remain accessible through M-PESA’s formal dispute channels, which operate separately from the SMS notification layer, is not clear.
A merchant who files a complaint through customer care or the app may find that internal records still show the full number, allowing disputes to be resolved. If the masking goes beyond the notification layer, the gap for businesses is much larger than Safaricom indicated.
Earlier reports attributed the change to a CBK approval. Safaricom has framed it differently, presenting the move as the company’s own initiative in line with data minimization principles.
The company cited alignment with the Office of the Data Protection Commissioner privacy regulations but did not name a specific directive or legal instrument requiring the change.
Both things may be true, as Safaricom may have proposed the change and sought CBK clearance before proceeding. If this is a regulatory requirement that all mobile money operators must now meet, that is a different story from Safaricom acting voluntarily.
Six Years in the Making
Safaricom presented the P2P change as the latest step in a program that stretches back to 2020, when Pochi la Biashara launched with number masking built in from the start.
Internal staff data viewing was restricted in 2021. M-PESA statement data was minimized in 2022. Meanwhile, large organizations integrated directly to M-PESA’s Buy Goods and C2B APIs in 2023 and 2024.
Think of a supermarket where the cashier asks for your phone number to send you a payment prompt rather than waiting for you to initiate it.
Since those organizations receive payment confirmations through the API rather than an SMS notification, the masking on that end has already been applied, and the cashier’s till system doesn’t need your full number to begin with.
The March 24 rollout closes the last two remaining gaps of P2P and SMS notifications to SME merchants.
Calling it a six year program is accurate, but it also softens the change. It presents something many customers will notice right away, and some businesses may find disruptive, as a planned and gradual shift instead of a sudden move.
Safaricom argues that the trade-off is about security. A phone number taken from a transaction SMS can be used for scams, so the company believes reducing that risk is worth any inconvenience to merchants.
