I've done work for one of "those" companies. I've also develop the algorithm to randomly generate the card numbers. Brute force on the last 9 digits of a 19 digit card number, Good luck, and they employ pen testers to prevent it.
EDIT:
Ok I've decided to expand the answer on this for the sake of sharing knowledge. I know, ppl get brainfarts and rush to post stuff but we are here to learn.
Here is how a Card system / network, like Amazon's Gift-Cards, most probably works. There are three players in this equation, the distribution partner (DP - the shop or website selling the product), aggregator network partner (AN - the link between DP and CP) and the content partner (CP - like Amazon).
In brief:
The DP is a network on its own, consisting of Point of Sales (POS) devices, like tills/cash registers, servers, db, etc. The POS will send the card details to the DP's server, where more information will be added to the message that will be send to the AN. This communications between the DP and AN is most likely secured, e.g. certificate exchanged etc.
The AN will verify where the message came from and the contents of the message. It will check the fields in the message against information provided by the CP pertaining to the product being sold. If there is something wrong the AN will send an error back to the DP.
The CP will activate the product only if all the information match up. The CP can void the product if it suspect fraud. The CP will then reply to the AN which in turn will reply back to the DP.
Sometimes the CP can act as all three or as AN and CP. As for the AN part, that can also be divided into multiple networks, i.e. local AN company connecting to an international AN company that connects to another local AN company.
As for the Card number; it is usually specified according to an ISO standard and is either 16 or 19 digits. But CP may choose what ever they like. Usually a 19 digit card number is broken up in 4 parts; BIN number (6 digits), Issuer Ref (4 digits), Random numbers (8 digits) and a check digit (1 digit). You can figure out what the first two parts are by looking at existing cards. The third part is a random, non-sequential number (search for large non-sequential random generating algorithms) and the check bit is usually use Luhn algorithm.
Digital gift-card follow about the same route but might even be more secure due to the fact that the access is online and there are a shitload of skidies out there...
Each of these partners in this network spend a lot of time, effort and money to ensure their (part of the) network is secure. I'm not saying it is impossible to hack, but like all things concerning money, a lot of percussion were made.
So my question to OP is, where will you start? What will be your entry point?
