 has granted Safaricom approval to implement "phone number masking" across its M-Pesa ecosystem.){kind=link}
The era of sharing your phone number with every merchant in Kenya is coming to an end, following a landmark decision by the country’s financial regulator.
The Central Bank of Kenya (CBK) has granted Safaricom approval to implement “phone number masking” across its M-Pesa ecosystem.
According to reporting by the Business Daily, the move aims to bolster consumer privacy and align the mobile money giant with the stringent requirements of the Data Protection Act 2019.
For years, M-Pesa users have grown accustomed to a system where paying via a Till or Paybill automatically shared their full name and mobile digits with the merchant.
While often overlooked by the public, this practice effectively handed over personal data with no option to opt out.
Consequently, this transparency frequently opened the door to: Unsolicited marketing calls and spam messages, potential data harvesting for fraudulent activities and privacy breaches where personal numbers were added to unregulated databases.
Under the updated protocol, the transaction process remains identical for the user; however, the information visible to the merchant changes significantly.
Instead of a full mobile number, businesses will now receive a notification featuring a partially hidden string, such as 0722XXXXXX.
Furthermore, this transition is not entirely uncharted territory for Safaricom.
The firm’s Pochi la Biashara service—tailored for small-scale traders—had already adopted masked numbers.
This latest approval simply scales that standard across the wider M-Pesa network, effectively “closing a gap that had existed for years.”
As a result of these changes, the familiar retail ritual of a merchant asking a customer to “show the confirmation message” is being officially phased out.
Both Safaricom and the Office of the Data Protection Commissioner are now actively discouraging the practice.
Instead, merchants are expected to verify payments using professional tools, such as: Dedicated M-Pesa business applications, the *334# USSD code and integrated point-of-sale (POS) systems.
“The transaction still goes through; only this time merchants will simply have to confirm it on their own devices instead of asking to see your phone.”
Interestingly, the move also serves as a legal safety net for small-scale entrepreneurs.
Under the Data Protection Act, any individual collecting personal data is legally responsible for its sensitive handling—a fact many small traders were unaware of.
By masking this data at the source, Safaricom is effectively removing the legal risk for these businesses “quietly in the background,” ensuring that a simple grocery purchase no longer carries the weight of a potential data breach.