Since Tuesday, 24th March, individuals and small business owners in Kenya who received a mobile payment notification on their phone took note of something different. The familiar string of 10 digits that often revealed the customer’s full mobile number have vanished, instead replaced by a masked sequence, such as 0715***123.

For Safaricom PLC, this change represents a calculated strategy on data privacy as a competitive differentiator in one of the world’s most advanced mobile money markets.

Safaricom’s new data minimization feature is configured to partially mask phone numbers for Till, PayBill, and peer-to-peer payments across the M-PESA ecosystem, a digital payments engine that processes over 137.9 million transactions per day worth KSh 118 billion.

Digital security for customers

With 14.1 million daily active peer-to-peer customers conducting 37 million transactions each day, Safaricom is leveraging data minimization to deepen customer loyalty amid competition. The move also gives the telco a strategic tool to enhance data privacy compliance.

“We have an obligation to ensure maximum digital security for our customers,” Safaricom CEO, Dr. Peter Ndegwa, said while unveiling the data privacy feature. “This feature is a major step in the right direction towards fighting against fraud”.

The innovation comes as Kenya’s mobile money ecosystem, a big driver of financial inclusion, faces calls to provide stronger safeguards on personal data. 

Increasingly, banks, fintechs, and telecommunication firms are all vying for a share in the mobile money market, where M-PESA, now 19 years old, remains a trailblazer. By embedding privacy into peer-to-peer transactions, Safaricom is strategically raising the bar for what customers can expect from their financial services providers.

Sharon Holi, Safaricom’s Head of Customer Privacy and Data Protection, noted that the journey toward data minimization started with Pochi la Biashara, a merchant payments service that limited the customer information visible to traders. 

By 2022, M-PESA statements were masking mobile numbers, and in 2023 and 2024, the company implemented API-level data minimization for large corporate partners. “This journey reflects our ongoing commitment to embedding privacy-by-design across our financial ecosystem,” Holi explained.

Social engineering schemes

Behind Safaricom’s innovation on data privacy lies a bold push to fight fraud. Masking phone numbers directly addresses one of Kenya’s persistent problems: mobile money fraud.

In Kenya and globally, fraudsters have long exploited visible phone numbers in transaction messages to perpetrate social engineering schemes, spam campaigns, and harassment. By limiting the information that can be harvested from transaction SMS, Safaricom aims to reduce the attack surface available to bad actors.

“Masking limits the information fraudsters can use while strengthening customer trust and confidence in digital transactions,” the company said in an update.

Operationally, fewer fraud incidents translate into lower dispute resolution costs, reduced reputational damage, and less regulatory scrutiny. In 2025, the High Court awarded over KSh 13 million in fines and damages to consumers who raised complaints against unwarranted contact or spamming from private entities without their express consent.

Moreover, financial services providers accounted for a third of determinations issued by the Office of the Data Protection Commissioner arising from over 5,000 consumer complaints in 2024. These complaints included improper consent management, unsolicited communication, and aggressive debt collection practices, all of which were flagged for violating data privacy principles.

“Our customers want convenience, but they also need to feel that the information entrusted to us is handled with care, respect, and integrity,” Dr. Ndegwa stated.

Long-term value

By limiting the visibility of customer phone numbers in transaction messages, Safaricom is constraining the data available to its own systems and third-party partners. 

The company says the feature applies only to displayed transaction notifications, not to internal records or API-level data shared with partners that have appropriate agreements in place.

Safaricom said that its strategy is to treat data privacy as an enabler of long-term value. “Data minimisation ensures that only the necessary information is shared or displayed, reducing exposure to misuse while maintaining a seamless customer experience,” the company said.

When a customer disputes a transaction, merchants usually cross-reference the sender’s full phone number against their records to verify. Under the new system, a masked number breaks that process.

To solve any transaction dispute, Safaricom is asking recipients to forward the payment message in question to 334. This prompt will trigger a request to the sender asking for consent to share their data. The sender may accept or decline, and each request is valid for 24 hours. The design places the decision to disclose vital data entirely with the sender, offering a deliberate choice from a privacy standpoint.

Digital payments scale globally

As digital payment systems grow globally, the need for convenience and privacy will only intensify. Safaricom’s latest innovation positions the company at the heart of a shift that regulators, consumers, and investors are demanding a solution.

Safaricom is already certified against ISO 27701 (Privacy Information Management Systems), ISO 27001 (Information Security Management Systems), and PCI DSS v4, all of which are global standards that reflect a sophisticated approach to data governance.

“We have an obligation to ensure maximum digital security for our customers,” Dr. Ndegwa said. With 40 million 30-day active customers on M-PESA, that obligation carries commercial weight.

[email protected]