My two cents on this topic.
In general terms, storage is quite cheap and cost of storage shouldn't be too high.
As personal consideration, I always consider 12 months as minimum period for log retention, but this is just my personal approach, and it obviously change based on the scenario and compliance needed (as you mentioned, PCI has a specific retention period, and other standards too).
On my experience the longest retention period was 5 years for a specific project with financial implications.
From security prospective, If you have a SIEM solution of behavioral analysis tool, you should be able to detect an attack in a reasonable amount of time.
I believe the avg time to detect an intrusion is around 200 days, which should be another aspect to consider for investigation.