At Techish Kenya, we have been beating the drum for digital privacy for years. We’ve written about the risks of smartphone data, tracked the maturity of Kenya’s data protection landscape, and more specifically, we have spent over half a decade highlighting the gaping hole in M-Pesa’s transaction privacy.
Today, we can finally say: It is here.
In a move that is as welcome as it is long overdue, the Central Bank of Kenya (CBK) has officially approved Safaricom’s request to mask customer names and phone numbers in Lipa na M-Pesa transactions. This change, which affects both Till and Paybill payments, marks the end of an era where every merchant had access to your full identity and contact details.
What is changing?
Moving forward, when you make a payment via Lipa na M-Pesa, the recipient (merchant) will no longer receive a confirmation message containing your full name and mobile number. Instead, they will see only your first name and a partially masked phone number (e.g., 07XX XXX 123).
This simple change effectively severs the pipeline that has enabled unscrupulous merchants to harvest customer data for unsolicited marketing, SMS spam, or even more malicious social-engineering attempts.
A journey we’ve tracked for years
For regular readers of Techish, this isn’t just a news update; it’s the conclusion of a saga we have covered extensively.
Back in January 2020, we raised the alarm regarding how much data was being leaked during a simple transaction. By July 2021, we highlighted the escalating privacy problems, noting that the lack of masking was a direct violation of the spirit of the Data Protection Act.
Safaricom has toyed with this fix before. In May 2022, we reported on a privacy fix where the telco began testing number masking using Pochi la Biashara. However, full implementation required regulatory backing. We even explored workarounds, like how to send M-Pesa anonymously, but those were mere stop-gaps.
With the CBK’s formal nod, as reported by Business Daily, the protection is now institutionalized and mandatory.
Why this matters now
The timing is critical. As we noted in our analysis of Kenya’s data protection maturity last year, the Office of the Data Protection Commissioner (ODPC) has been tightening the noose on companies that mishandle PII (Personally Identifiable Information). By masking these details, Safaricom is finally aligning its most popular product with the Data Protection Act of 2019.
For the consumer, this means no more “Thank you for shopping at [Store X]” promotional texts three days after you bought a soda. For the merchant, it means they can still verify payment via the first name and the last three digits of the phone number without needing to own your digital identity. The practice of asking a customer to show the confirmation message is now dead and gone.
What about the Daraja API?
While this is a win for consumers, it raises a significant technical question for the Kenyan dev ecosystem.
Safaricom’s Daraja API, the backbone of Lipa na M-Pesa integrations, currently returns a JSON callback containing the CustomerMobileNumber and KYCName.
So, to our developer community, we want to hear from you in the comments. Does the latest API documentation reflect this change? Are the details still visible in the JSON returned by the callback request, or is Safaricom masking the data at the API level as well? If the callback still provides full details to the backend server while masking them on the STK push/SMS, the privacy loop remains partially open.
Still, this move by the CBK and Safaricom is a landmark moment for financial privacy in Kenya. It transforms M-Pesa from a broadcast system into a more secure, private payment rail. It has taken six years of advocacy and regulatory pressure, but M-Pesa users can finally pay for goods without handing over their digital life story.
What do you think? Is this the privacy fix you’ve been waiting for, or is it too little too late? Let us know in the comments.
