Safaricom switches on phone number masking for M-PESA on 24 March 2026, replacing the full number that currently appears in every transaction notification with a partially hidden format — for example, 0722***000.
The Central Bank of Kenya approved the rollout last month, covering peer-to-peer transfers first, with merchant Till and PayBill payments to follow later in 2026.
What Changes on 24 March
The difference is precise and worth spelling out, because it affects more than just the phone number.
Today, when someone sends you money on M-PESA, you receive their full three names and their complete phone number alongside the transaction details. From 24 March, that changes on two fronts. The sender’s name shortens from three names to two — John Maina Wao becomes John Wao — and their mobile number masks to a format such as 254725***568. The transaction details, date, transaction number, and amount — remain fully visible and unchanged.
The masking applies symmetrically. Whether you are the sender or the recipient, neither party walks away from the transaction holding the other’s full contact details by default.
The Fraud Problem This Feature Targets
Every M-PESA transaction today hands the recipient a readable phone number sitting in plain text inside their confirmation message. That number has become a predictable starting point for fraud.
Criminals lift numbers from payment notifications, then call the sender while posing as M-PESA agents, customer care representatives, or people claiming to have received money by mistake. It is a low-effort, high-yield approach and it scales.
According to a 2025 TransUnion report, 46% of Kenyan consumers say they have been targeted by fraudulent calls, texts, or online messages. The M-PESA transaction notification is one of the most common sources of the phone numbers that fuel those attempts.
Safaricom names the specific harms the feature targets: spam calls, unsolicited marketing messages, and harassment following a transaction. All three begin the same way, with a number lifted from a payment confirmation.
From 24 March, that number is no longer there to lift.
How to Verify a Sender Under the New System
Masking raises a legitimate question: what happens when you genuinely need to confirm who sent you money?
Safaricom has built a verification step into the system. Forward the transaction message to 334 within 24 hours of receiving it, and the platform sends the sender an SMS asking them to share their full name and mobile number. The sender then makes a choice. If they agree, you receive their full details by SMS. If they decline, you receive a notification confirming that they chose not to share.
Two rules govern the process: one verification request per transaction, and the request window closes after 24 hours. The system preserves the sender’s agency, their number stays private unless they actively choose to release it.
The Regulator’s Approval and Its Conditions
Safaricom developed the masking capability years before customers saw it. Regulatory clearance took time. The CBK granted approval in February 2026, stating in writing:
“The CBK has reviewed your application and submissions in support of the solution and approves your request to implement data minimisation for peer-to-peer transactions.”
Safaricom must now run consumer awareness and education campaigns ahead of the launch, monitor customer feedback actively, resolve complaints as they arise, and submit monthly progress reports to the CBK.
The Communications Authority of Kenya had already declared its support, stating that privacy features such as number masking “are important for digital trust and consumer protection” as digital services, including e-commerce, continue to expand.
What Data Minimisation Actually Means
The principle behind the feature determines how far Safaricom can extend it and the briefing document states it plainly: data minimisation ensures that only the necessary information is shared or displayed, reducing exposure to misuse while maintaining a seamless customer experience.
Applied to a payment, the logic is straightforward. The function of a money transfer is moving funds from one person to another. It does not require both parties to exchange contact details. Masking strips the transaction back to its essential purpose and nothing more.
The CBK’s National Payments Strategy framed the broader ambition:
“The focus will be on enhancing safeguards on how payment data is collected, stored, and shared. The overall objective will be to ensure payments data is used safely and securely to enhance a user’s privacy, reducing fraud and facilitating positive elements such as use of data to enhance security, innovation, access to new services, and customer-centricity approaches.”
Number masking on peer-to-peer transfers is the most visible expression of that strategy to date. It is not its conclusion.
Five Years of Privacy Work, Now Visible
The 24 March launch is the public face of a programme that Safaricom has been building since 2020. The internal timeline, published in the briefing document, maps each step:
In 2020, Safaricom applied data minimisation at the launch of Pochi la Biashara, limiting what merchants could see. In 2021, it restricted the customer data accessible to its own front-line and support staff. In 2022, it extended masking to M-Pesa statements. Between 2023 and 2024, it pushed data minimisation down to the API layer, ensuring that large organisations integrated to the Buy Goods and C2B APIs received only the minimum data needed to complete a transaction. The 2026 roadmap extends the same protection to SMEs receiving payment notifications by SMS, the segment of the market that the peer-to-peer rollout does not yet reach.
CEO Peter Ndegwa, speaking at the media immersion briefing on 18 March, placed the programme in its customer context:
“Our customers want convenience, but they also need to feel that the information entrusted to us is handled with care, respect, and integrity.”
Ndegwa added that Safaricom had “listened to customer concerns about privacy” and was introducing an enhancement that “minimises the personal information shared while conducting Send Money transactions on M-Pesa.”
Safaricom’s chief financial services officer confirmed the 2024 milestone at the same briefing: “In 2024, we implemented API-level data minimisation, ensuring partners only receive the minimum data required to complete a service.”
The Scale of What This Protects
M-PESA handles 37 million peer-to-peer transactions every day, drawn from 14.1 million daily active person-to-person customers. Those 37 million transactions sit within a total daily volume of 137.9 million transactions across the platform, representing a daily value of KSh118 billion, of which the peer-to-peer segment alone accounts for KSh27 billion.
Each of those 37 million daily transfers previously deposited a readable phone number with the recipient. Multiply that across a year, and the volume of phone numbers that flowed into unintended hands through the transaction notification channel alone runs into the billions.
Ndegwa drew the obligation directly: “We have an obligation to ensure maximum digital security for our customers.”
