Kenya’s largest telecom operator Safaricom, plans to extend data minimisation across its mobile money platform, M-PESA, by late 2026. The move will limit how much of customers’ phone numbers are exposed in transactions with merchants and banks.
Esther Waititu, Safaricom’s Chief Financial Services Officer, said the rollout will cover both merchant payments and bank transfers. “Later in the year, we will work with banks to ensure data is masked across all channels,” she said, emphasizing the need for consistent protection.
The update addresses a major privacy concern in Kenya’s payments system: phone numbers shared in transaction alerts are often reused for spam, marketing, and fraud. Masking numbers in merchant payments and cross-platform transfers aims to cut off a key source of personal data misuse at scale.
The initiative builds on an earlier change scheduled for March 24, when M-PESA will begin partially masking senders’ phone numbers in peer-to-peer transactions. Merchant payments, which remain a major point of exposure, will be the next focus.
Services like Buy Goods and Paybill, which handle a large share of everyday transactions, currently send merchants SMS confirmations with full customer phone numbers. While small businesses use these alerts to track sales and confirm payments, the same numbers are sometimes repurposed for marketing or shared beyond the transaction. Under the new system, payments will still go through and merchants will receive confirmations, but full numbers will no longer appear in SMS alerts, reducing the risk of data misuse.
The data minimisation policy will also extend to cross-system transfers—between M-PESA, banks, and other mobile money platforms such as Airtel Money limiting exposure at every step and creating a common standard across providers.
The scale of M-PESA means the change will be widely felt: the service processes 37 million daily peer-to-peer transactions worth KES 27 billion ($209 million), out of 137.9 million total transactions valued at KES 118 billion ($914 million).
Safaricom’s privacy push has been gradual. It began in 2020 with Pochi La Biashara, a product that allowed small traders to receive payments without exposing full customer details. Subsequent steps included restricting internal access to customer data, trimming personal information from statements, and adding controls to merchant-facing APIs. The 2026 updates complete the chain by extending protections to peer-to-peer and merchant transactions.
Peter Ndegwa, Safaricom CEO, acknowledged the trade-offs: “If you think about security and safety, there is always some level of inconvenience. People have built habits around how they interact, but it is more important to keep everyone safe.”
Waititu noted that dispute management may present the biggest challenge as businesses adjust to resolving payment issues without full phone numbers. “The process will require an additional step, which could introduce some friction. We are addressing this by ensuring access to information with consent from all parties,” she said.
With these updates, Safaricom aims to make M-PESA safer for millions of users while setting a higher standard for data privacy in Kenya’s digital payments ecosystem.