What PCI Counts as a SIEM, and Why Your EDR Does Not
Plenty of security teams arrive at a PCI assessment confident that their endpoint platform covers the logging rules. The assessor opens Requirement 10, asks for twelve months of reviewed logs across the cardholder data environment, and the gap appears in the first ten minutes. The endpoint tool is excellent at what it does. It was never built to do this.
The confusion is a category error, and it is an expensive one. EDR and SIEM are different product classes solving different problems, and Requirement 10 is written around the problem a SIEM solves. The standard is specific about outcomes: audit logs for every in-scope system component, review of those logs at least once daily, and audit-log history retained for at least twelve months with the most recent three months immediately available for analysis (PCI DSS v4.0.1, Requirement 10). None of those outcomes is an endpoint function. All of them are log-management functions.
Start with what each tool was designed to count. Gartner defines a SIEM as technology that aggregates event data from security devices, network infrastructure, systems and applications, then analyses it for both real-time detection and compliance reporting (Gartner IT Glossary). The primary input is log data from across the whole estate. EDR, a category Gartner first defined in 2013, does something narrower and deeper: an agent sits on each endpoint, collects host telemetry, detects suspicious behaviour, and contains threats on the device itself (Gartner). One tool watches the whole environment through its logs. The other watches endpoints through their behaviour.
Now map that to Requirement 10. The daily-review obligation (10.4.1) covers all security events, every system that stores, processes or transmits cardholder data, all critical systems, and the servers that perform security functions: network security controls, intrusion-detection systems, authentication servers. An EDR sees none of those unless they happen to be endpoints running its agent. Firewall logs, database audit trails, application logs and authentication-server records sit outside its field of view. A SIEM, or a functionally equivalent centralised log-management platform, is the layer designed to take all of those sources, retain them, and surface the daily exceptions. NIST makes the underlying point plainly: organisations should build their log-management infrastructure around centralised log servers and storage (NIST SP 800-92).
Picture a high-resolution camera trained on one room. It will tell you everything about that room in forensic detail. It will tell you nothing about the other forty rooms, and it will not keep a year of footage from the whole building in a place one analyst can review each morning. Requirement 10 is asking about the building.
One precision point matters here, because it is where teams tend to over-correct. Requirement 10 does not name a SIEM as mandatory. It describes functions, and a SIEM is the product category built to perform them. Since 31 March 2025, the use of automated mechanisms to perform log reviews (10.4.1.1) moved from best practice to a full requirement, which makes manual review of a large estate impractical for most organisations. That is the gravity pulling teams toward a SIEM, not a clause in the standard demanding one by brand.
The lines do blur in the market, which is part of why the category error is so easy to make. Many EDR products forward their telemetry into a SIEM, and several vendors now sell both under one console or fold them into an XDR platform. That integration is genuinely useful. It does not change the underlying point: the endpoint capability and the centralised log-management capability remain two distinct functions, and Requirement 10 is satisfied by the second one. A single vendor invoice can contain both. A single agent on a laptop cannot be both.
For the board, the consequence is not abstract. A misclassified control is a control gap, and a control gap surfaces at assessment as a partial or failed requirement, with remediation on a clock. The deeper exposure shows up in an incident. The standard exists because, as PCI itself states, determining the cause of a compromise is difficult without system activity logs. If the only rich telemetry lives on endpoints, the forensic account of an intrusion that moved through the network and into the database has holes in exactly the places investigators need to look. This is an architecture and budget decision, and it belongs on the board's desk rather than buried in a tooling preference.
Three moves close the gap this quarter. First, map each part of Requirement 10 to the specific system that performs it, and write down which tool owns daily review, which owns twelve-month retention, and which owns central aggregation. Second, inventory log sources across the entire cardholder data environment, network controls, databases, applications and authentication servers included, not only the endpoints. Third, confirm that automated daily review and twelve-month retention with three months immediately available are actually running, then position the EDR where it belongs: as one valuable log source feeding the central layer.
Requirement 10 asks one question of every control in the environment: what happens to the log data, and who reviews it each day. Answer that for the whole estate and the product names settle themselves. The endpoint tool keeps doing the job it is good at. The logging function gets an owner that was built for it.
Sources
Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0.1 (PCI Security Standards Council, June 2024). https://www.pcisecuritystandards.org/document_library/
Information Supplement: Effective Daily Log Monitoring (PCI Security Standards Council). https://listings.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf
Definition of Security Information and Event Management (SIEM), Gartner Information Technology Glossary. https://www.gartner.com/en/information-technology/glossary/security-information-event-management
Endpoint Detection and Response Solutions Market, Gartner Peer Insights. https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions
NIST Special Publication 800-92, Guide to Computer Security Log Management (National Institute of Standards and Technology). https://csrc.nist.gov/pubs/sp/800/92/final
Disclaimer
This article is provided for general information and does not constitute legal, regulatory or compliance advice. PCI DSS requirements, supporting guidance and applicability dates are subject to change, and individual obligations depend on an organisation's environment, scope, and acquirer or assessor requirements. Verify all references against the current version of the standard and confirm your control mapping with a Qualified Security Assessor before relying on it for an assessment.
EDR or SIEM?
The questions a QSA asks.
Centralised logging, automated daily review and twelve-month retention. What the standard counts, and where an endpoint tool stops.
10.2), review of those logs at least once daily (10.4.1), automated mechanisms to perform the review (10.4.1.1), and audit-log history retained for at least twelve months with the most recent three months immediately available for analysis (10.5.1).10.4.1.1, the use of automated mechanisms to perform audit-log reviews, is a full requirement rather than a best practice. Manual review of a large estate is impractical for most organisations as a result.No matching questions.
