In a significant move that could reshape digital payment privacy across Africa, Safaricom has announced plans to stop sharing customers’ full phone numbers in M-PESA transactions with merchants and banks by the end of 2026. The decision marks one of the most comprehensive data protection upgrades ever introduced on the continent’s most widely used mobile money platform.
For millions of users who rely on M-PESA daily, this change goes beyond a simple technical update. It represents a deliberate shift towards stronger privacy controls in an ecosystem where personal data, especially phone numbers, has long been exposed during routine transactions.
The development builds on a phased rollout already underway. From March 2026, M-PESA began masking phone numbers in peer-to-peer transfers, ensuring that only partial digits are visible in transaction alerts.
By late 2026, this masking will extend to merchant payments and bank transfers, closing what Safaricom considers one of the biggest remaining gaps in its data protection framework.
Table of Contents
Why phone number exposure has become a major concern
For years, M-PESA transactions have automatically shared customers’ phone numbers with recipients, merchants, and in some cases, multiple financial intermediaries. While this made transactions easy to verify, it also created an unintended vulnerability.
Phone numbers collected through payment alerts have often been reused for unsolicited marketing, spam messages, and, more dangerously, fraud schemes.
In Kenya’s mobile-first financial system, where a phone number doubles as a financial identity, this exposure carries even greater risk. Fraudsters have exploited these numbers to impersonate customer care agents, initiate social engineering attacks, and execute SIM swap fraud.
Authorities have linked such practices to rising cybercrime incidents, with criminals leveraging transaction data to gain trust and manipulate victims into revealing sensitive details like PINs and passwords.
Against this backdrop, Safaricom’s decision reflects a broader recognition that convenience must no longer come at the expense of security.
How the new M-PESA privacy system will work
Under the updated system, full phone numbers will no longer appear in transaction notifications sent to merchants or banks. Instead, users’ numbers will be partially masked, limiting how much personal information is exposed during each transaction.
For example, a complete phone number will be replaced with a shortened or obscured version, while still allowing enough detail for basic identification.
Importantly, the core functionality of M-PESA will remain unchanged. Customers will still be able to send and receive money, and merchants will continue to receive payment confirmations. However, the data shared within those confirmations will be significantly reduced.
The update will also extend across multiple transaction types, including:
- Merchant payments, such as Buy Goods and Paybill
- Transfers between M-PESA and banks
- Interoperable transactions with other mobile money platforms
This is particularly crucial because such transactions often pass through several systems, each creating an additional point where personal data could be accessed or stored.
By enforcing consistent masking across all these channels, Safaricom aims to establish a unified privacy standard across the entire payment ecosystem.
Implications for businesses and the wider fintech ecosystem
While the privacy benefits are clear, the transition is expected to introduce operational challenges, especially for small businesses that depend heavily on phone numbers to manage transactions.
Many merchants currently use customers’ phone numbers to:
- Confirm payments manually
- Track repeat customers
- Resolve disputes
- Send follow-up promotions
With full phone numbers no longer visible, businesses will need to adapt by relying more on transaction codes, internal systems, or consent-based data sharing models.
Safaricom has acknowledged that dispute resolution could become more complex in the short term. Without direct access to a customer’s full contact details, resolving payment issues may require additional verification steps and cooperation between all parties involved.
However, the company maintains that the trade-off is necessary. According to its leadership, a certain level of inconvenience is acceptable when weighed against the broader goal of improving customer safety and trust.
From a regulatory and industry perspective, the move aligns with growing emphasis on data minimisation, a principle that requires organisations to collect and share only the information strictly necessary for a service to function.
Across Africa, regulators are increasingly tightening rules around data protection, particularly in financial services where breaches can have immediate and severe consequences.
What this means for Africa’s digital payments future
M-PESA processes tens of millions of transactions daily, handling billions in value and serving as a backbone for financial inclusion in Kenya and beyond.
Because of this scale, even incremental changes can have far-reaching effects, not just locally but across the continent’s fintech landscape.
For countries like Nigeria, where mobile money and digital payments continue to expand rapidly, Safaricom’s approach could serve as a model for balancing usability with privacy. Platforms such as bank apps, USSD services, and fintech wallets face similar challenges around data exposure, particularly as fraud tactics become more sophisticated.
This shift also signals a deeper evolution in how African fintech companies think about user trust. In the early days, growth and accessibility were the primary focus. Today, security and data protection are becoming equally critical pillars.
By reducing the visibility of sensitive information like phone numbers, M-PESA is effectively redefining what a secure transaction should look like in a mobile-first economy.
Looking ahead, the success of this initiative will depend on how well users and businesses adapt to the new system. If implemented smoothly, it could significantly reduce fraud, limit spam, and set a new benchmark for privacy in digital payments.
For now, one thing is clear. The era of openly shared personal data in everyday financial transactions is gradually coming to an end, and M-PESA is leading that transition in Africa.
Join Our Social Media Channels:
WhatsApp: NaijaEyes
Facebook: NaijaEyes
Twitter: NaijaEyes
Instagram: NaijaEyes
TikTok: NaijaEyes
