Officials said the thefts were carried out by "wardriving", driving around outside the offices of a major store and using a handheld device to detect a wireless signal from that firm's computers.

Hackers then upload so-called 'sniffer' software onto its computer network to grab data including passwords and other account details.

In this instance, the biggest victim of the fraud was the US firm TJX, which trades in the UK as TK Maxx. Data theft began at TJX in 2003 but was not discovered until March 2007. By then, details of 45.7 million credit and debit cards from Britain, the US and Canada had been stolen.

UK experts believe relatively few frauds have been carried out against UK cardholders. That's because the thefts came as the UK's card industry was switching from the old-style magnetic strips towards the more secure Chip and Pin, meaning old cards became redundant as their details were being stolen.

However, the fact that card numbers can be stolen so easily raises critical questions about how it is possible to prevent identity theft on a massive scale in the UK.

At Apacs, the banks' centralised payment and clearing system, a spokeswoman said its anti-fraud activities are working:

"In the past three years losses on face-to-face transactions on the UK high street have fallen by two-thirds, from £218m in 2004 to £73m last year. Fraud on lost and stolen cards and mail non-receipt fraud are at their lowest levels for 10 years."

She added that responsibility for card security rests on three key players: banks and card issuers, consumers who use them, and retailers who accept them.

The evidence is that card companies take their responsibilities increasingly seriously. A Barclaycard spokesman said: "We have the largest fraud department in Europe, with 400 people monitoring card transactions. We also operate a fraud referral system, called Falcon, which looks for suspicious transactions at home and abroad.

"Every transaction has a score with a number attached and we give different weightings to the amount spent, what type of retailer the card is being used with, in which country, what the time of day is and so on. If you get above a certain number, your transaction will be referred back and we will attempt to get in touch with you to ensure that it is legitimate."

Other card issuers also operate sophisticated systems that alert their own internal fraud teams if suspicious use is detected.

The central question raised by the TK Maxx theft is whether retailers are doing enough to prevent a repeat in the UK.

The British Retail Consortium, which represents the UK's stores, appears to pin its hopes on the card companies' security precautions rather than its own members' systems.

A spokesman said: "In the unlikely event a cardholder is an innocent victim of any type of fraud, they have excellent protection under the Banking Code which means that they will not suffer any financial loss."

The payment card industry (PCI) does subscribe to security standards called PCI DSS. Any company processing, storing or transmitting payment card data must be PCI DSS compliant or risk losing its ability to process credit card payments. In the worst-case scenario, a retailer whose security lapses led to fraud on a major scale could be heavily fined by the bank through which it operates its credit card business.

However, one technology expert said: "Some retailers are still using old-style security to protect their wireless networks. They are not spending the money needed to upgrade their security.

"Maybe it's down to the credit crunch, or it could be they don't believe it could happen to them. If a determined criminal wanted to, they could easily crack some UK retailers' systems the same way as they did with TK Maxx."

The industry itself stresses its fraud prevention systems do work. A Visa Europe spokesman said: "Occasionally criminals may exploit one component of the payment system. However, our multiple layers of protection respond quickly and minimise impact to cardholders.

"To remain one step ahead of criminals we are continuously enhancing our security programmes through improving technologies, collaboration across the industry and with law enforcement, and through consumer education and awareness.

"As a result of our efforts, the Visa Europe fraud rate (the proportion of fraud to sales] is 0.053%."

He stressed that a critical principle of the card payment system is that if fraud takes place, the customer will pay nothing if he or she is not responsible: "This is the cornerstone of the system, which is needed to maintain total confidence in payment cards."