If you noticed something big missing from last week’s settlement between breach extraordinaire TJX and the Federal Trade Commission – that being dollar signs – you weren’t alone.

But before you go criticizing the FTC for going soft on a retailer that exposed some 45 million credit card numbers – or double that if you go by court filings – keep this factual tidbit in mind: The agency isn’t allowed to impose fines.

The rule has been a thorn in the FTC’s side for years, especially as it goes after more and more companies with lax data security practices in place.

Right now, the FTC can force companies to fork up ill-gotten gains and force them to pay for customer redress. That may work fine for spam and spyware purveyors who make a pretty good chunk of change preying on innocent web users, but the agency typically can’t apply that to legitimate companies such as TJX.

The FTC is lobbying Congress for additional power. In the meantime, the fines for breaches will come from the credit card brands (for violating Payment Card Industry standards) and countless lawsuits.

Although one must wonder how much fining power Visa and MasterCard can have if the merchant was PCI-compliant, as was the case with the recent Hannaford Bros. breach, at the time of the data loss.