Launched in 2012, Safaricom’s Lipa na Mpesa service now has an average of 30 million active users per month. The number of merchants on Lipa na Mpesa also doubled within a period of 1 year. It significantly shot from 172,000 in mid 2020 to 387,000 merchants in early 2022. This success is a as result of launching of self-onboarding portal where businesses can apply for a Mpesa Paybill/Till number online and have it processed within 48 working hours. Over the years, the service has also established both local and global partnerships with Paypal, Skrill, AliExpress, Western Union among other players to facilitate global money transfer.

Safaricom CEO Peter Ndegwa , during Safaricom’s  5G service launch in Kenya, March 26, 2021. PHOTO: Safaricom PLC

M-pesa merchants’ data access scope

A typical Lipa na Mpesa transaction can either originate from user’s M-PESA STK menu or be initiated programmatically from the M-pesa API, popularly known as Daraja API. Either way, the user has to enter their Mpesa PIN to complete the payment.

When the user authorizes a payment, the merchant receives a notification from M-pesa via SMS. If the Paybill or Till number is integrated with Daraja API, they also receive notification through API callbacks. In both cases, the merchant gets customer’s full names, phone number, transaction ID and other sensitive information.

Abuse of customer data

While these features brought magical automation in digital payments, it also came along with a number of shortcomings. Some merchants save customers’ data in their ERP and CRM systems where they later broadcast promotional SMS to them. This does not always end in good taste since most people deem it as spamming. In some unfortunate cases, they also sell customers’ data to third parties.

This frequent customer data abuse with impunity has led to public outcry in the public domain.

New Customer data privacy measures

In response to data abuse complains, Safaricom has come up with new measures to protect customer data. The new measures limit the scope of merchants’ customer data access. Merchants will now receive customer’s first name, transaction ID and a redacted customer’s phone number. These new changes will affect both SMS and API callback notifications.

This will also be in compliance with the Data Protection Act 2019, which came into law on 25th November 2019. It requires all organizations that handle payment data to minimize the use and transfer of sensitive customer data such as name and phone numbers during the processing of a transaction.

Current notification format

OB57V1MMEV You have received Ksh 1,000.00 from Jane Rita Doe 254721345654 on 3/5/20 at 6:23 New M-PESA balance is Ksh2,345.00. Transaction cost, Ksh0.00. To reverse, Forward this message to 456.

New notification format

OB57V1MMEV You have received Ksh 1,000.00 from Jane 2547XXXXX654 on 3/5/20 at 6:23 New M-PESA balance is Ksh2,345.00. Transaction cost, Ksh0.00. To reverse, Forward this message to 456

According to an email send to M-pesa merchants by Safaricom, the new API went live on 17th of March 2022. They are required to adjust their systems and migrate to the new API by 30th June 2022. Safaricom says,”The old API will be unavailable from 11:59 PM EAT on 29th June 2022 and all partners will need to be on the new API to successfully consume our services.”

The transition to the new API will be done in batches.

Implications of the new M-pesa data privacy policy

If the new measures will indeed be implemented, it means that you will not be receiving acknowledgement SMS when you make payments. This can be fatal in some cases where the merchant sends a purchase code to the number you have made a payment with. A good example of this is the pre-paid KPLC tokens.

In some cases, the merchant requires a user to make a payment or deposit funds from a specific mobile number. In the event such merchant cannot access customer’s number, your guess is just as right as mine. Paypal, Pakakumi and other platforms lie in this category.

In other cases, a service provider may require you to enter the transaction ID to verify payment. If there are delays in Safaricom SMS gateways, you will have to wait even if it takes 3 hours to complete the payment. This could have been avoided simply if the merchant received both transaction ID and your mobile number as well.

Merchant alternatives

In future, the only way merchants can at least identify the mobile number used to make a payment is by forcing all payments to be initiated by STK PUSH. This way, they will be able to save customers’ phone number before pushing payment request to them for authorization. Through STK PUSH status callback, the merchant can check status of the merchant request ID and extract the corresponding mobile number which generated it.

However, this has many limits since not every merchant has technical capabilities to consume m-pesa API. Again, STK PUSH does not work in all mobile devices