I've had a similar system for 7 years - with surprisingly little attempted fraud.

For precautions:
1) I issue the gc number right away, but I don't charge the purchasing credit card immediately - I wait a few days to give stolen card numbers a chance to be reported - if an order comes in in the meantime using the gc, I put it on hold until the card is charged.
2) I have a checksum in the gc number which I use for error checking on order entry - this number allows me to check for typos in the number without needing to say it is a valid gc.
3) The only way of getting a balance for the gc is to call us or have the balance emailed to an email address given to us at the time of purchase.

Thank you for your reply.
Do you think the checksum is necessary?
I did a random mix of 6 digits: alpha and numeric.
I thought it would be harder to imitate.
Would you recommend checksum instead?
any php snippets to help me produce it?

I'm guessing you are using 0-9 and A-Z. (I would recommend against using I and O as they are too easy to confuse with one and zero) Just assign a numeric value to each letter - 10 for A, 11 for B...36 for Z. If you want to keep your 6 digits, add up the value of the first five characters and take the mod 36. So if you had 1A2B3 for your first five characters you would add 1+10+2+11+3 which gives you 27, take the mod 36 of that which is 27 and then convert that back into a character Q so you end up with 1A2B3Q.

I appreciate your help!
I implemented the checksum, and now I'm second guessing: how does this make it more secure?
Isn't pure random best?

Thanks also for the tips to omit I and O: good ideas!

The only reason I can see a checksum being useful is that it allows you to deny a GC number before doing a SELECT from a database.

Just like we can give the user an "invalid credit card number" message if the number is not valid before we even connect to the payment processor.

For security, perhaps you could could ask the purchaser if they want to restrict use to a certain state or even zip code.

What I do is just accept any gc with a valid checksum silently - even if it isn't legit. This way, people can't just keep trying different numbers until they get a valid gc. I do the same kind of thing on checking balances on gc. I will send a balance to any email address given at time of gc purchase or over the phone, but not anonymously online. The combination of these pretty much eliminates the fraud at the redemption of gc.